Twitter Logo Youtube Circle Icon LinkedIn Icon

THE UK AND THE EUROPEAN ECONOMIC AREA – THE APPLICATION OF STRONG CUSTOMER AUTHENTICATION (SCA) UN

November 2019 - Crime. Legal Developments by Rahman Ravelli Solicitors.

More articles by this firm.

Neil Williams ofRahman Ravelli explains the reasons behind the UK’s delayed implementation ofSCA and the effect it has on transactions that go beyond its borders.

When the original Payment Services Directive (PSD) wasadopted by the European Union (EU) in 2007 it established an EU single marketfor payments to encourage the creation of safer, more innovative paymentservices. It was also intended to make payments across borders within the EU asstraightforward and safe as those made within a member state.

The revised Directive (PSD2) has taken the originalDirective’s purpose further by increasing customer rights, enabling third-partyaccess to account information and – which is what this article is concernedwith - enhancing security through strong customer authentication (SCA) criteria.Yet the timing of the implementation of SCA has been subject to revision – andthat revision could have implications for a post-Brexit UK.

In June this year, the European Banking Authority (EBA)published an opinion on the elements of SCA under PSD2; which were due to comeinto force on 14 September 2019. Prompted by this opinion, the UK’s FinancialConduct Authority (FCA) announced a phased roll-out plan to move the UK to fullcompliance by 14 March 2021. This delayed compliance with SCA is set to have aprofound effect on the UK’s payments industry.

Defining SCA

SCA is defined in the Directive as an "authenticationbased on the use of two or more elements categorised as knowledge (somethingonly the user knows), possession (something only the user possesses) andinherence (something the user is) that are independent, in that the breach ofone does not compromise the reliability of the others, and is designed in sucha way as to protect the confidentiality of the authentication data." TheDirective also provides that SCA is to be applied to all electronic payments, withexemptions only being available for transactions that are:

        Face-to-face contactless payments, involvingsingle transactions under €50, with a limit of five transactions and a totalvalue of €150.

·        Online payments, involving single transactionsunder €30, with a limit of five transactions and a total value of €100.

·        Classed as “low risk’’, which requires certainconditions to be met.

·        Corporate payments, including ‘secure virtualpayments’ made using virtual cards or B2B cards. Such a transaction must beinitiated by a legal person, such as a business, rather than a consumer.

        White listed. Consumers can whitelist merchantsso that all future transactions with that merchant do not require additionalsecurity checks.

·        Recurring payments made to the same merchant forthe same amount.

The EBA’s Opinion

While most of the requirements of PSD2 became on January13th 2018, the SCA requirements (along with the measures relating tothird-party access) were to come into force eight months later.

On the 21st of June 2019, the EBA published an opinion inaccordance with Article 29(1)(a) of its Founding Regulation on the issue, whichexpressed concern over the preparedness of some links in the transaction chains.The EBA published its opinion as a result of queries from those in the industryregarding what authentication approaches the EBA considers to be compliant withSCA.

Importantly, the opinion made it clear that the EBA waslegally not able to postpone an application date that is set out in EU law. Italso stated that sufficient time had been made for the industry to prepare forthe SCA application date, as the definition of SCA was set out in PSD2 when itwas published in 2015 – and this gave clear indications that existingauthentication approaches would need to be phased out - and because PSD2 had alreadygranted an additional period for the industry to implement SCA.

Yet, the EBA’s opinion acknowledged that complexity of paymentsmarkets across the EU and the challenges arising from the required changes maylead to some of those in the payments chain not being ready by 14 September2019.  As a result, the EBA stated that nationalcompetent authorities (NCAs) may work with payment service providers (PSPs) andstakeholders to provide a limited period of additional time to ensure that issuersof payment instruments have in place or migrate to authentication approachesthat are compliant with SCA and/or that acquirers of payment transactions offersolutions to their merchants that can support SCA.

However, additional time may only be granted if the relevantPSPs:

·        have set up an appropriate migration plan whichhas been approved by their NCA and which is to be implemented in an expeditedmanner

·        have adequate customer communication plans inplace. NCAs will then have to monitor the effective implementation of themigration plan in due course.

The FCA’s Response

In August, the FCA announced that it had agreed an 18-monthplan to implement SCA with the e-commerce industry of card issuers, paymentsfirm and online retailers. It acknowledged that the plan reflected the EBA’sopinion that more time was needed to implement SCA given the complexity of therequirements, a lack of preparedness and the potential for a significant impacton consumers.

The FCA stated that it had been working with the industry toput in place stronger means of ensuring that anyone seeking to make paymentswas not attempting to commit fraud. It intended to do this, it said, byimplanting SCA measures via “a phased plan for their timely introduction’’.

The FCA will not take enforcement action against firms ifthey do not meet the relevant requirements for SCA that were to have beenenforced from 14 September 2019, provided that there is evidence that the firmshave taken the necessary steps to comply with the plan. The FCA expects allfirms to have made the necessary changes and undertaken the required testing toapply SCA by the end of the 18-month period.

The FCA will also continue to monitor the extent to whichbanks and payment service providers are meeting its expectation that theyconsider the impact of SCA on different groups of consumers and providealternative means of authentication where needed.

 

The Effect of the FCA Decision

What has to be remembered is that the delayed implementationthat the FCA has sanctioned only applies to payments within the UK itself. If,therefore, a UK business collects a payment in the European Economic Area(EEA), SCA will still apply.

In the wake of the EBA Opinion, there does not appear to bea unified approach within the EEA. In the absence of any clear indicatorsotherwise from other national regulators - or from the European banking industry- then the SCA will still apply to a significant number of transactionsconducted beyond UK borders.

The EBA itself has highlighted the risks posed by lack ofpreparation by financial institutions for the departure of the UK from the EU. Ithas already asked NCAs to ensure that financial institutions take practicalsteps now to prepare for the possibility of a withdrawal of the UK from the EUwith no ratified withdrawal agreement in place and no transition period.

The EBA has emphasised the importance of financialinstitutions in both the UK and other EU states identifying all possible risksand implications of the potential departure of the UK without a ratifiedwithdrawal agreement in place.

Andrea Enria, Chairperson of the EBA, has said: "Firms cannot take for granted that theycontinue to operate as at present nor can they rely on as yet unrealisedpolitical agreements or public policy interventions. Risks, capacity and legalimplications must be examined and addressed."

Based on the EBA's assessment, financial institutions shouldtake adequate steps to mitigate the impact without relying on possible publicsector solutions that may not be proposed and/or agreed in time. Financialinstitutions should ensure they have the correct regulatory permissions, andassociated management capacity in place ahead of time. They should identify andmitigate risks around access to financial market infrastructures and fundingmarkets. Financial institutions should also assess and take necessary actionsto address any impacts on rights and obligations of their existing contracts,in particular derivative contracts.

If financial institutions have any concerns in relation tothe EBA’s statements, the EBA encourages them to contact their NCA for furtherguidance. The EBA will continue to monitor the level of readiness of EUfinancial institutions.