Latest SCA Updates

Update for UK merchants

The UK financial regulator, the Financial Conduct Authority (FCA), has announced an additional six-month extension to the deadline for Strong Customer Authentication (SCA). While ramp up will continue from 1 June 2021, full compliance for UK transactions is not expected until 14 March 2022.

The risk of hard declines persists from 1 June, so it is important to ensure that you are 3DS enabled and to be coded for exemptions.

You can read the full revised plan from UK Finance here

UK Finance announcement

UK Finance has issued an update due to concerns on the lack of clarity for GDPR and behavioural biometrics. The Financial Conduct Authority (FCA) is allowing issuers to utilise 3DS profiling data, along with One Time Password SMS, as two independent authentication factors until 14 September 2021.

See more here

Country by Country update

Following the January 2021 deadline, countries and regulators have been ramping up. Below is the latest update, as of February 2021…

Country	January 2021	February 2021	March 2021	April 2021
Austria	The NCA also informed about some flexibility in practice. The FMA will check banks’ compliance as from 15 January 2021 for payments above 250 euros, as from 15 February 2021 above 150 euros and as from 15 March 2021 or all payments.	The NCA also informed about some flexibility in practice. The FMA will check banks’ compliance as from 15 January 2021 for payments above 250 euros, as from 15 February 2021 above 150 euros and as from 15 March 2021 or all payments.	The NCA also informed about some flexibility in practice. The FMA will check banks’ compliance as from 15 January 2021 for payments above 250 euros, as from 15 February 2021 above 150 euros and as from 15 March 2021 or all payments.	Full Compliance
Belgium	Ramp Up: As from Tuesday 19 January 2021 All transactions above 1.500€	Ramp Up: As from Tuesday 23 February 2021: All transactions above 500€	Ramp Up: As from Tuesday 23 March 2021: All transactions above 250€	Ramp Up: As from Monday 19 April 2021: All transactions above 100
Bulgaria	Full Compliance
Croatia	Full Compliance
Cyprus	Full Compliance
Czech Republic	Full Compliance
Denmark	Full Compliance from January 11th
Estonia	Full Compliance
Finland	Full Compliance
France	January 2021 - Soft decline of transactions > EUR 1,000.	Mid-February 2021 - Soft decline of transactions > EUR 500.	Mid-February 2021 - Soft decline of transactions > EUR 500.	April 2021 - Progressive soft decline of transactions < EUR 500
Germany	BaFin has confirmed the 31 December 2020 deadline for SCA implementation. BaFin will check banks’ compliance beginning 15 January 2021 for payments above 250 euros, above 150 euros beginning 15 February and for all payments beginning 15 March.	BaFin has confirmed the 31 December 2020 deadline for SCA implementation. BaFin will check banks’ compliance beginning 15 January 2021 for payments above 250 euros, above 150 euros beginning 15 February and for all payments beginning 15 March.	BaFin has confirmed the 31 December 2020 deadline for SCA implementation. BaFin will check banks’ compliance beginning 15 January 2021 for payments above 250 euros, above 150 euros beginning 15 February and for all payments beginning 15 March.	Full Compliance
Greece	Full Compliance
Hungary	Full Compliance
Iceland	Full Compliance
Ireland	20th Jan - transactions over 500eur - https://bpfi.ie/wp-content/uploads/2020/12/SCA-Ramp-Up-Approach-Final-8th-Dec-Clean-.pdf	20th Jan - transactions over 500eur - https://bpfi.ie/wp-content/uploads/2020/12/SCA-Ramp-Up-Approach-Final-8th-Dec-Clean-.pdf	1st March - transactions over 250eur - https://bpfi.ie/wp-content/uploads/2020/12/SCA-Ramp-Up-Approach-Final-8th-Dec-Clean-.pdf	Full Compliance
Italy	Ramp Up: January 1, 2021: SCA to be enforced only for transactions > EUR 1,000	Ramp Up: February 1, 2021: SCA to be enforced only for transactions > EUR 500	Ramp Up: March 1, 2021: SCA to be enforced only for transactions > EUR 100	Full Compliance
Latvia	Full Compliance
Liechtenstein	Full Compliance
Lithuania	In January a payment service provider may omit SCA for online card payments under €500	In January a payment service provider may omit SCA for online card payments under €250	In January a payment service provider may omit SCA for online card payments under €100	Full Compliance
Luxembourg	Full Compliance
Malta	Full Compliance
Netherlands	The Dutch industry agreed on the following revised ramp-up plan with soft decline until March 16, 2021: January 5, 2021 – Soft decline of transactions > EUR 250. January 12, 2021 – Soft decline of transactions > EUR 150. February 16, 2021 – Soft decline of transactions > EUR 75. March 2, 2021 – Soft decline of transactions > EUR 30. March 16, 2021 – Soft decline of all transactions.	The Dutch industry agreed on the following revised ramp-up plan with soft decline until March 16, 2021: January 5, 2021 – Soft decline of transactions > EUR 250. January 12, 2021 – Soft decline of transactions > EUR 150. February 16, 2021 – Soft decline of transactions > EUR 75. March 2, 2021 – Soft decline of transactions > EUR 30. March 16, 2021 – Soft decline of all transactions.	The Dutch industry agreed on the following revised ramp-up plan with soft decline until March 16, 2021: January 5, 2021 – Soft decline of transactions > EUR 250. January 12, 2021 – Soft decline of transactions > EUR 150. February 16, 2021 – Soft decline of transactions > EUR 75. March 2, 2021 – Soft decline of transactions > EUR 30. March 16, 2021 – Soft decline of all transactions.	Full Compliance
Norway	Full Compliance
Poland	Full Compliance
Portugal	Full Compliance
Romania	Full Compliance
Slovakia	Full Compliance
Slovenia	Full Compliance
Spain	Enforcement of SCA for all transactions with card as long as authentication is present (on any version of 3DS). In the case of none of the 3DS versions presented at transaction, transactions from 30EUR and under 250EUR will be authorised (or not) only based on issuer decision. If the transaction is authorized it will be presumed that risk analysis exemption was applied (that will influence reporting and any future liability of the transaction). This will end on 31st January 2021.	For transactions below 30EUR conditions will be same as above and this agreement will not be extended further of Feb 2021
Sweden	Full Compliance from January 14th
UK	N/A	N/A	N/A	N/A

Countdown to SCA – weekly trends and intelligence

The rate of fully authenticated transactions we are seeing remains low and, based on our intelligence, we anticipate a gradual increase over Q1 2021.
In line with expectations, there is an increase in soft declines and challenges for Denmark and Austria since 10 January, but overall challenge levels remain low across all countries.
Increased declines based on Country thresholds are expected to align to SCA ramp-up dates:
- 11 January – Denmark
- 14January – Sweden
- 15 January – Germany and Austria
- 20 January – Ireland
Countries reporting a week-on-week increase in SCA authorisation soft declines (up to 12 January) are:
- Bulgaria, Finland, Romania, Germany, Italy, Spain, Sweden, Hungary, Denmark & Austria – overall the numbers remain low
Data Analysis is also showing a minor increase in soft declines requiring SCA across smaller ecommerce countries (Finland, Norway, Belgium, Poland, Lithuania and Estonia)

Our recommendation remains to implement and test 3DS on your site as soon as possible to ensure you are SCA ready when countries start to ramp up their challenges.

Countdown to SCA – weekly trends and intelligence

The rate of fully authenticated transactions we are seeing remains low, and based on our intelligence we do not envisage a material increase in fully authenticated transactions before 1 January 2021, with a gradual increase anticipated over Q1 2021.
To date, some of the largest ecommerce markets such as the UK, France, Germany, Italy, Belgium and Ireland have announced collective migration plans stretching into Q1/Q2 2021. Limited SCA authorisation soft decline testing by issuers can be expected in these regions.
Spain remains one of the largest ecommerce markets yet to announce a collective migration plan or readiness update. Banco de España noted at an industry meeting that only 47% of cards were enrolled for 3DS in July 2020.
Countries reporting a week-on-week increase in SCA authorisation soft declines for the week ending 12 December are:
- Bulgaria, Finland, Romania and Sweden – overall the numbers remain low
Our recommendation remains to implement and test 3DS on your site as soon as possible to ensure you are SCA-ready when countries start to ramp up their challenges.

Countdown to SCA – weekly trends and intelligence

As of 9 December, there has been a slight increase in SCA authorisation soft declines. Country summaries to note:
- Bulgaria, Belgium, France, Germany and Sweden - numbers still very small and limited to a few issuers
- Italy, Romania and Czech Republic - intermittent, most likely due to testing by Issuers
Week-on-week market trends are showing a slight increase in successful 3DS transactions driven by higher levels of fully authenticated ECI 5 transactions, as well as higher volumes of merchants presenting successful 3DS transactions

Ireland Update

The final version of the Irish ramp up plan has been published: www.mypsd2.ie

Countdown to SCA – weekly trends and intelligence

As of 28 November, no material increase in SCA authorisation soft declines
Week-on-week market trends are showing an increase in successful 3DS transactions, driven by higher levels of fully authenticated ECI 5 transactions, as well as higher volumes of merchants presenting successful 3DS transactions
Countries reporting a week on week increase in SCA authorisation soft declines for the week ending 28 November are:
- Belgium, France, Poland and Romania - numbers still very small and limited to a few issuers
- Germany, Austria and Czech Republic - intermittent, most likely due to testing by Issuers

Final UK SCA migration plans announced

UK Finance has published the full and final SCA implementation roadmap for SCA, highlighting UK-only activities and merchant readiness.

The full plan can be accessed here.

Mastercard notes EBA reiterate stance on transition period

Mastercard has advised that at the European Payment Institutions Federation (EPIF) annual conference on 19 November, the EBA publicly reiterated that it will not extend the SCA transition period beyond December 31, 2020 (for EEA regions) - nor would the EBA provide further flexibility for the T&E sector.

Mastercard has noted that as the EBA’s position has been clear for some time, this is not unexpected.

Please find below further details provided by Mastercard regarding the statements made by the EBA at the EPIF conference:

No extension of December 31, 2020 deadline. Although the EBA is aware of the industries lack of readiness, their view is that the industry has had sufficient time to prepare. The SCA requirements have been known to the market since 2015 when PSD2 was published. The industry has already been granted a 15-month extension.
National Competent Authorities (NCAs or regulators) providing further flexibility are violating PSD2. Any additional flexibility granted at national level after December 31, 2020 is contrary to the PSD2. PSPs not complying with the PSD2 SCA requirements will be in violation of the law. The EBA will closely monitor enforcement of the SCA provisions by the NCA during 2021.
‘Soft-decline is a smart idea but too late’. The EBA recognizes that soft-decline is a smart idea, but it should have started several months ago.
T&E sector should also comply by 31 December, 2020. The EBA was already made aware 18 months ago of the technical complexities to implement SCA requirements for the T&E sector. Nonetheless, since Covid-19 significantly reduced travel operations, this could have been a good time to adapt the T&E infrastructure to the new SCA requirements.
If cards do not work, other payment instruments should be used. If merchants see that card payments do not work/operate outside of the law, they can/should switch to competing payments that are SCA compliant (e.g., PISP payments via ACH, SDD). PISPs have complained to the EBA that no favourable treatment in the form of flexibility should be granted to cards payments.

Countdown to SCA – weekly trends and intelligence

To date up to 21 November 2020 no material increase in SCA declines
Week on week market trends are showing an increase in successful 3DS transactions driven by increased volumes of merchants presenting successful 3DS transactions, as well as an increase in fully authenticated ECI 5 transactions
Countries reporting a week on week increase in SCA soft declines for the week ending 21st Nov are:
- Belgium, France and Romania: numbers still very small and limited to a few issuers
- Germany and Denmark: intermittent SCA declines, most likely due to testing

Country by Country update

As the SCA deadline nears, financial regulators in each EEA country are solidifying plans for their rollout. Below are the latest updates as of November 2020:

European Economic Area (EEA) Country	Update
Austria	No update since September
Belgium	The National Bank of Belgium (NBB) expects the industry to be fully compliant with SCA by the EBA deadline of 31 December, 2020. Belgium adopted a collective migration plan providing the following milestones: EMV 3DS infrastructure must be ready by 15 October, 2020. Priority is given to exemptions in authorisation. Exemptions through EMV 3DS only as of Q4 2020. Merchant enrollment in EMV 3DS by December 2020 (75% e-commerce transactions SCA-compliant by 15 October, 2020) Cardholder enrollment in a SCA-compliant solution by December 2020. Issuers will soft decline non-3DS transactions according to the following timeline: As of August 25, 2020, transactions > EUR 1,500. Issuers have started soft declining these high value transactions. Impact is expected to be limited due to the high value threshold. As of September 22, 2020, transactions > EUR 250. As of October 19, 2020, transactions > EUR 30. As of November 17, 2020, all transactions. T&E transactions and EEA-UK transactions are excluded from soft decline. The NBB stated that they did not mandate soft decline. It is up to the industry to apply soft decline based on the Belgian migration plan.
Bulgaria	The Bulgarian National Bank (BNB) will officially maintain the 31 December 31, 2020 deadline. They expect that there will be more intensive preparation in Q3 2020 and closer to the deadline.¹
Croatia	No update from Croatia as yet
Cyprus	No update from Cyprus as yet
Czech Republic	The Czech National Bank (CNB) position is the following: They are closely monitoring SCA transition (last report is from January 2020). Absent any new indication from the EBA, the CNB plans to stick to the 31 December, 2020 deadline.²
Denmark	The Finanstilsynet (Danish Financial Supervisory Authority, FSA) announced that they will ensure flexibility for SCA until 11 January, 2021 to avoid disruptions during holiday season.
Estonia	No update from Estonia as yet
Finland	No update from Finland as yet
France	On July 1, 2020, Banque de France issued a press release: Acknowledging that merchants faced disruptions in the implementation of SCA due to Covid-19. Inviting the payment industry to actively resume cardholder and merchant enrolment and to continue upgrading the technical infrastructure. Providing further flexibility in the implementation of the SCA migration plan, which will be accompanied by reinforced monitoring. On September 22, 2020, Banque de France published its 2019 Annual Report with a ramp-up plan and updates on SCA readiness. Recognising the efforts of all stakeholders to migrate to solutions compliant with PSD2 RTS and the Covid-19 impact, Banque de France has announced a progressive enforcement of SCA until the end of June 2021. Flexibility will be offered in terms of: Cardholder enrollment on 2FA solutions, and Share of in scope ecommerce volumes that are either authenticated or exempted. In parallel, to accelerate the market readiness, Banque de France has also announced a progressive ramp up with soft decline with immediate effect. 1. Cardholder enrollment on 2FA solutions December 2020: > 70% of cardholders must be enrolled on 2FA solutions. March 2021: > 85% of cardholders must be enrolled on 2FA solutions. 2. Share of in scope ecommerce volumes authenticated or exempted December 2020: > 70% of volumes are either authenticated on 3DS1 / EMV 3DS or exempted. March 2021: > 90% of volumes are either authenticated on 3DS1 / EMV 3DS or exempted. 3. Progressive ramp-up with soft declines Approach A: Issuers must soft decline transactions that are not compliant (i.e., not authenticated and not flagged as exempted or excluded) according to the following timeline: October 2020 - Soft decline of transactions > EUR 2,000. January 2021 - Soft decline of transactions > EUR 1,000. Mid-February 2021 - Soft decline of transactions > EUR 500. April 2021 - Progressive soft decline of transactions < EUR 500. Approach B: Banque de France will require issuers to intensify soft declines if the quantitative targets for SCA migration are not met. Issuers are asked to not apply soft declines for the T&E sector, at least until March 31, 2021, except if the soft decline substitutes a hard decline. 4. Banque de France recognizes that, despite Covid-19 slowed-down migration, the industry is making significant progress Covid-19 slowed down: Cardholder enrollment in SCA-compliant solutions. Merchant enrollment in EMV 3DS (especially for small merchants). EMV 3DS flows have grown at a reduced pace (albeit increasing 10X between January-May 2020). As of June 2020, 3DS flows (including both 3DS1 and EMV 3DS) were at 62%, i.e. above the target of 40% set by Banque de France. This is because e-merchants still widely use 3DS1 (which does not support exemptions and therefore provides a poor UX). The industry has already completed the following migration targets: Deployment of EMV 3DS infrastructure (excluding the management of exemptions) - Completed at the end of 2019. Communication campaigns to cardholders and merchants on the new SCA requirements - Completed in July 2020. BIN enrolment in the new authorization servers - Completed in April 2020. Introduction of the soft decline mechanism on April 1, 2020, with almost all issuers now supporting soft decline. Only a few merchants, however, support soft decline. Merchants’ response rate to issuers’ soft declines is almost zero. Issuers’ support of TRA exemption - Completed in May 2020. Banque de France will monitor: The upgrade by both issuers and acquirers of the authentication infrastructure to EMV 3DS. The deployment of resilience and continuity mechanisms in the case of incidents affecting the 3DS infrastructure. Fraud for contactless transactions.
Germany	According to Mastercard, Germany’s Federal Financial Supervisory Authority (BaFin) will maintain the EBA deadline of 31 December 2020. BaFin however considered the following progressive (2.5-month) ramp-up with soft decline: As of January 15, 2021 – Soft decline of transactions > EUR 250. As of February 15, 2021 – soft declines of transactions > EUR 100 As of March 15, 2021 – soft decline of all transactions
Greece	Bank of Greece sent an email to Greek banks³ stating that they will not provide an extension to the EBA deadline of 31 December, 2020.
Hungary	Magyar Nemzeti Bank (MNB) favours⁴ a harmonized European approach and will probably stick to the current deadline of December 31, 2020.
Iceland	No update from Iceland as yet
Ireland	No update since September
Italy	Bank of Italy asked the industry to accelerate SCA migration. During its meeting with industry on 9 November, 2020, Bank of Italy agreed⁵ to an industry ramp-up plan in accordance with the following milestones: January 1, 2021: SCA to be enforced only for transactions > EUR 1,000 February 1, 2021: SCA to be enforced only for transactions > EUR 500 March 1, 2021: SCA to be enforced only for transactions > EUR 100 April 1, 2021: SCA to be enforced for all transactions The ramp-up would apply only to domestic transactions. Bank of Italy is considering excluding the Travel and Hospitality sector from the ramp-up. Bank of Italy will shortly issue a statement to provide legal certainty to the market. This will help to avoid that issuers decline transactions below the thresholds.
Latvia	No update from Latvia as yet
Lithuania	No update from Lithuania as yet
Luxemboug	Banque Centrale du Luxembourg and Commission de Surveillance du Secteur Financier (CSSF) is assessing the situation and closely looks at what is happening in other countries.
Malta	No update from Malta as yet
Netherlands	The Netherlands adopted a collective migration plan providing the following milestones: EMV 3DS infrastructure must be ready by May 1, 2020. Exemptions in authentication should supported by September 1, 2020. TRA by acquirer supported by October 2020. TRA by issuer supported by December 2020. Merchant enrollment in EMV 3DS by December 2020 (critical mass of merchants enrolled by September 2020). Cardholder enrollment in a SCA-compliant solution by August 2020. On 15 September, 2020, the Dutch Payments Association (BVN) published a press release stating that: A further extension of SCA transition is not envisaged. Ramp-up through progressive soft declines of transactions (initially planned for September 2020) is postponed to October 2020. NL has done a first limited try-out of ramp-up. Results are being analyzed. See more information from the Dutch Payments Association here
Norway	No update from Norway as yet
Poland	According to the Polish Banks Association (PBA)⁶, banks would be ready by the end of the year.
Portugal	Banco de Portugal currently requires compliance with SCA by the EBA deadline of 31 December, 2020. However, they are monitoring the system closely and do not rule out a reassessment of the decision if necessary⁷. September is a key month as the status of the national migration plan will be assessed.
Romania	Banca Natională a României (BNR) based on their monitoring and migration plans, does not see a further delay as beneficial for Romanian industry⁸.
Slovakia	No update from Slovakia as yet
Slovenia	Central Bank of Slovenia favors a harmonized European approach. They will therefore reach out to the EBA and the NCAs to try and achieve alignment. They welcome any data and insights from industry. The Slovenian Banking Association sent a letter to the Central Bank, lobbying for additional 3 months of ramp-up.
Spain	Banco de España expects all actors to accelerate SCA migration in September-October, so they are relatively optimistic about meeting the deadline for the implementation of SCA. During the meeting between Banco the España and the industry of 9 October, 2020: Merchant associations have asked openly for more time to be ready. Mastercard and Visa have requested a soft-enforcement approach as other national authorities have done in Europe. Bank of Spain stated they provide KPIs in terms of enrollment and transactions for all the players. Based on the review of the KPIs, Bank of Spain will take other actions if needed. During its meeting with industry at the beginning of July, Banco de España: Reiterated that they are not thinking in any further extension to SCA transition. Spanish banks confirmed that they will stick to the EBA deadline of 31 December, 2020. The main merchant associations, however, asked for more flexibility as most merchants are not ready to support 3DS because of the Covid-19 crisis. Acknowledged, however, that there may be delays on the acquirer side because of Covid-19 and delays in merchant enrollment. Noted that the application of SCA and SCA exemptions is almost inexistent (data of 13 June, 2020). Noted that currently only 47% of cards allow SCA. Lamented the inconsistent and poor quality of the data received from the market. Asked for testing to start as soon as possible.
Sweden	No update from Sweden as yet.

Though now outside of EEA, the UK intends to follow SCA regulation:

United Kingdom

The UK FCA extended the SCA transition period for e-commerce by a further 6 months (i.e., until September 14, 2021) due to Covid-19.

UK Finance has made the necessary adjustments to its SCA migration plan. UK Finance migration plan now provides the following milestones:

3DS 2.1 infrastructure ready in Q3 2020. 3DS 2.2 ready in Q4 2020.
Market readiness by May 2021. This includes merchant enrollment, cardholder enrollment and support of SCA exemptions.
Ramp-up of SCA with soft declines as of June 1, 2021. Issuers will decide monthly on soft decline methods based on one or a combination of the following factors:
- Transaction amount.
- Transaction frequency (e.g. 1 out of 20 transactions are challenged).
- BIN range selected.

UKF will be conducting a detailed issuer readiness survey. See more on the FCA website

1. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 11 November 2020

2. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 11 November 2020

3. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 11 November 2020

4. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 11 November 2020

5. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 11 November 2020

6. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 11 November 2020

7. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 11 November 2020

8. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 11 November 2020

Countdown to SCA – weekly trends and analysis

To date in November, we are not seeing any material increase in SCA declines
Countries where we are seeing a slight week on week increase in SCA declines are:
- Netherlands: limited to one issuer and confirmed as participating in coordinated testing
- Belgium, Romania and Poland: numbers still very small and limited to a few issuers
We will continue to monitor issuer SCA declines as the various country by country collective migration plans come into effect.

Update from Denmark

The Danish FSA has released an update stating their new SCA readiness date, which is now 11 January 2021

https://www.finanstilsynet.dk/Nyheder-og-Presse/Pressemeddelelser/2020/Sikkerhed_netbutikker_211020

See below translation:

Commission Delegated Regulation (EU) 2018/389 by 27. The commission's proposal for a directive on the use of the euro is to be applied in accordance with the principle of non-compliance with the directive on the use of the euro and its own.

The plans mean that during October 2020 2020 should start using the new IT solutions to be sure to avoid rejected card payments. The rules take effect 1. January 2021, but already the online stores should get ready for the new rules.

European regulators have set a common implementation period with one deadline for enforcing the new strong customer authentication rules for e-commerce card payments on 1. January 2021. The goal of the implementation period is to avoid major disruptions in e-commerce. This means that from 1., all card issuers (typically financial institutions) and card acquirers in the EU From 1 January 2021 shall, as a rule, reject card payments in online stores that are not approved with strong customer authentication. The common European deadline means that there will be a level playing field for all card issuers, card acquirers and online shops across the EU.

In order to ensure a stable payment settlement over the year and to avoid operational disruption to Christmas trading, the FSA will exceptionally accept that strong customer authentication is applied in practice to all payments by 11. January 2021. This means that the Danish FSA expects banks and other card issuers to use 11. at the latest From January 1, 2021 begins to reject card payments that are not properly approved with strong customer authentication. However, the FSA stresses that the requirement of strong customer authentication has been in force since 14. September 2019.

In view of the long time that the sector and retailers have had to put in place, the FSA finds it regrettable that a comprehensive solution cannot be fully ready for 1. January 2021, without this could present significant challenges to the deal for the remainder of 2020. The FSA has therefore found reason to stress the requirements for both the sector and the retail sector, and the supervisory authority expects to follow up on supervisory efforts at the beginning of 2021.

Country by Country update

As the SCA deadline nears, financial regulators in each EEA country are solidifying plans for their rollout. Below are the latest updates as of September 2020:

European Economic Area (EEA) Country	Update
Austria	According to Mastercard² Austria is considering the approach by Germany’s Federal Financial Supervisory Authority (BaFin) on a progressive ramp up of SCA
Belgium	The Belgian Banking Association’s SCA ramp up plan was formally released to Belgian PSPs in mid-March 2020. National Bank of Belgium (NBB) expects the industry to be fully compliant with SCA by the EBA deadline of December 31, 2020. Belgium’s plan includes the following milestones: EMV 3DS infrastructure must be ready by October 15, 2020. Priority is given to exemptions in authorization. Exemptions through EMV 3DS only as of Q4 2020. Merchant enrollment in EMV 3DS by December 2020 (75% e-commerce transactions SCA-compliant by October 15, 2020) Cardholder enrollment in a SCA-compliant solution by December 2020. Issuers will soft decline non-3DS transactions according to the following timeline: As of August 25, 2020, transactions > EUR 1,500. Issuers have started soft declining these high value transactions. Impact is expected to be limited due to the high value threshold. As of September 22, 2020, transactions > EUR 250. As of October 19, 2020, transactions > EUR 30. As of November 17, 2020, all transactions. T&E transactions and EEA-UK transactions are excluded from soft decline. The NBB: Stated that they did not mandate soft decline. It is up to the industry to apply soft decline based on the Belgian migration plan. Is open to consider a postponement of ramp-up for lower thresholds early 2021 and align with neighboring countries. Also, worth noting that The Netherlands also plans to align with the Belgian roadmap from September in recognition of the cross-border nature of ecommerce Further update expected in November
Bulgaria	The Bulgarian National Bank (BNB) has a firm position to observe the December 31, 2020 deadline^[1]. They expect that there will be more intensive preparation in Q3 2020 and closer to the deadline.
Croatia	No update from Croatia as yet
Cyprus	No update from Cyprus as yet
Czech Republic	Mastercard^[2] expects that the Czech National Bank will be complaint with the 31 December deadline
Denmark	The Finanstilsynet (Danish Financial Supervisory Authority, FSA) believes that it is important to stick to a common European deadline to ensure a harmonized approach^[3]. As of now, they are therefore continuing with the previously announced deadlines. However, they will revisit their deadlines should an agreement at the European level be reached to postpone SCA enforcement.
Estonia	No update from Estonia as yet
Finland	No update from Finland as yet
France	On July 1, 2020, Banque de France issued a press release: Acknowledging that merchants faced disruptions in the implementation of SCA due to Covid-19. Inviting the payment industry to actively resume cardholder and merchant enrolment and to continue upgrading the technical infrastructure. Providing further flexibility in the implementation of the SCA migration plan, which will be accompanied by reinforced monitoring. On September 22, 2020, Banque de France published its 2019 Annual Report with a ramp-up plan and updates on SCA readiness. Recognizing the efforts of all stakeholders to migrate to solutions compliant with PSD2 RTS and the Covid-19 impact, Banque de France has announced a progressive enforcement of SCA until the end of June 2021. Flexibility will be offered in terms of: Cardholder enrollment on 2FA solutions, and Share of in scope ecommerce volumes that are either authenticated or exempted. In parallel, to accelerate the market readiness, Banque de France has also announced a progressive ramp up with soft decline with immediate effect. 1. Cardholder enrollment on 2FA solutions December 2020: > 70% of cardholders must be enrolled on 2FA solutions. March 2021: > 85% of cardholders must be enrolled on 2FA solutions. 2. Share of in scope ecommerce volumes authenticated or exempted December 2020: > 70% of volumes are either authenticated on 3DS1 / EMV 3DS or exempted. March 2021: > 90% of volumes are either authenticated on 3DS1 / EMV 3DS or exempted. 3. Progressive ramp-up with soft declines ·Approach A: Issuers must soft decline transactions that are not compliant (i.e., not authenticated and not flagged as exempted or excluded) according to the following timeline: October 2020 - Soft decline of transactions > EUR 2,000. January 2021 - Soft decline of transactions > EUR 1,000. Mid-February 2021 - Soft decline of transactions > EUR 500. April 2021 - Progressive soft decline of transactions < EUR 500. Approach B: Banque de France will require issuers to intensify soft declines if the quantitative targets for SCA migration are not met. Issuers are asked to not apply soft declines for the T&E sector, at least until March 31, 2021, except if the soft decline substitutes a hard decline. 4. Banque de France recognizes that, despite Covid-19 slowed-down migration, the industry is making significant progress Covid-19 slowed down: Cardholder enrollment in SCA-compliant solutions. Merchant enrollment in EMV 3DS (especially for small merchants). EMV 3DS flows have grown at a reduced pace (albeit increasing 10X between January-May 2020). As of June 2020, 3DS flows (including both 3DS1 and EMV 3DS) were at 62%, i.e. above the target of 40% set by Banque de France. This is because e-merchants still widely use 3DS1 (which does not support exemptions and therefore provides a poor UX). The industry has already completed the following migration targets: Deployment of EMV 3DS infrastructure (excluding the management of exemptions) - Completed at the end of 2019. Communication campaigns to cardholders and merchants on the new SCA requirements - Completed in July 2020. BIN enrolment in the new authorization servers - Completed in April 2020. Introduction of the soft decline mechanism on April 1, 2020, with almost all issuers now supporting soft decline. Only a few merchants, however, support soft decline. Merchants’ response rate to issuers’ soft declines is almost zero. Issuers’ support of TRA exemption - Completed in May 2020. Banque de France will monitor: The upgrade by both issuers and acquirers of the authentication infrastructure to EMV 3DS. The deployment of resilience and continuity mechanisms in the case of incidents affecting the 3DS infrastructure. Fraud for contactless transactions.
Germany	According to Mastercard, Germany’s Federal Financial Supervisory Authority (BaFin) is considering^[4] a progressive ramp up of up to 2.5 months with soft declines: 15 January 2021 – soft declines of transactions > €250 15 February 2021 – soft declines of transactions > €100 15 March 2021 – soft decline of all transactions
Greece	Bank of Greece is in favor of the extension of SCA transition and expressed its view at EBA level. However, they acknowledged that discussions at EBA level have reached a deadlock.^[5]
Hungary	Magyar Nemzeti Bank (MNB) favours a harmonized European approach and is expected to comply with the current deadline of December 31, 2020^[6].
Iceland	No update from Iceland as yet
Ireland	Central Bank of Ireland will strictly enforce the EBA deadline from 1 January 2021
Italy	Bank of Italy is in favour of a sensible approach to SCA transition and is interested in the solutions other major Member States are adopting (e.g., progressive ramp-up with soft declines).^[7]
Latvia	No update from Latvia as yet
Lithuania	No update from Lithuania as yet
Luxembourg	No update from Luxembourg as yet
Malta	No update from Malta as yet
Netherlands	The Netherlands adopted a collective migration plan providing the following milestones: EMV 3DS infrastructure must be ready by May 1, 2020. Exemptions in authentication should supported by September 1, 2020. TRA by acquirer supported by October 2020. TRA by issuer supported by December 2020. Merchant enrollment in EMV 3DS by December 2020 (critical mass of merchants enrolled by September 2020). Cardholder enrollment in a SCA-compliant solution by August 2020. On September 15, 2020, the Dutch Payments Association (BVN) published a press release stating that: A further extension of SCA transition is not envisaged. Ramp-up through progressive soft declines of transactions (initially planned for September 2020) is postponed to October 2020. See more information from the Dutch Payments Association here
Poland	According to the Polish Banks Association (PBA)^[8], banks would be ready by the end of the year.
Portugal	Banco de Portugal currently requires strict compliance with SCA by the EBA deadline of December 31, 2020. However, they are monitoring the system closely and do not rule out a reassessment of the decision if necessary. September is a key month as the status of the national migration plan will be assessed.
Romania	Banca Natională a României (BNR) based on their monitoring and migration plans, does not see a further delay as beneficial for Romanian industry^[9].
Slovakia	No update from Slovakia as yet
Slovenia	Central Bank of Slovenia favors a harmonized European approach. They will therefore reach out to the EBA and the NCAs to try and achieve alignment. They welcome any data and insights from industry. The Slovenian Banking Association sent a letter to the Central Bank, lobbying for additional 3 months of ramp-up.
Spain	Banco de España expects all actors to accelerate SCA migration in September-October, so they are relatively optimistic about meeting the deadline for the implementation of SCA.[10] During its meeting with industry at the beginning of July, Banco de España: Reiterated that they are not thinking in any further extension to SCA transition. Spanish banks confirmed that they will stick to the EBA deadline of December 31, 2020. The main merchant associations, however, asked for more flexibility as most merchants are not ready to support 3DS because of the Covid-19 crisis. Acknowledged, however, that there may be delays on the acquirer side because of Covid-19 and delays in merchant enrollment. Noted that the application of SCA and SCA exemptions is almost inexistent (data of June 13, 2020). Noted that currently only 47% of cards allow SCA. Lamented the inconsistent and poor quality of the data received from the market. Asked for testing to start as soon as possible
Sweden	No update from Sweden as yet.

1. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

2. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

3. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

4. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

5. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

6. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

7. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

8. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

9. Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

10.Mastercard, Regulatory Outreach Overview of NCA positions on SCA, 1 October 2020

Country by Country update

As the SCA deadline nears, financial regulators in each EEA country are solidifying plans for their rollout. Below are the latest updates as of August 2020:

European Economic Area (EEA) Country	Update
Austria	According to Mastercard^[1] Austria is considering the approach by Germany’s Federal Financial Supervisory Authority (BaFin) on a progressive ramp up of SCA
Belgium	The Belgian Banking Association’s SCA ramp up plan was formally released to Belgian PSPs in mid-March 2020. A tiered approach to SCA (starting Q3 2020) has been agreed by the Belgian Central Bank A roadmap has been drafted by an industry task force (Belgian issuers, acquirers and the card schemes), in close coordination with the NCA (National Bank of Belgium) Progressive migration of merchants to 3DS and exemptions planned: 25% by 20 April 50% by 15 July 75% by 15 October In conjunction with this a soft decline will be implemented for non-compliant transactions, to prepare or warn merchants that compliance is required ahead of the December deadline Note: non-compliance means no SCA when needed, or not correctly flagged for exemption or exception Threshold for soft declines From 25 August the threshold for soft declines of non-compliant transactions is set at over €1500 euro From 22 September it will be €250 From 19 October it will be €30 From 17 November it will be €0 This plan will be closely monitored by the main Belgian card processor and a governance will be put in place to roll-back on a short notice if impact in the market is too big Also, worth noting that The Netherlands also plans to align with the Belgian roadmap from September in recognition of the cross-border nature of ecommerce
Bulgaria	No update from Bulgaria as yet
Croatia	No update from Croatia as yet
Cyprus	No update from Cyprus as yet
Czech Republic	No update from Czech Republic as yet
Denmark	Working towards 31 December 2020 deadline
Estonia	No update from Estonia as yet
Finland	No update from Finland as yet
France	Banque de France will provide additional flexibility until June 2021 Soft declines may be accelerated from September 2020, depending on market readiness
Germany	According to Mastercard, Germany’s Federal Financial Supervisory Authority (BaFin) is considering^[2] a progressive ramp up of up to 2.5 months with soft declines: 15 January 2021 – soft declines of transactions > €250 15 February 2021 – soft declines of transactions > €100 15 March 2021 – soft decline of all transactions
Greece	No update from Greece as yet
Hungary	No update from Hungary as yet
Ireland	Central Bank of Ireland will strictly enforce the EBA deadline from 1 January 2020
Italy	No update from Italy as yet
Latvia	No update from Latvia as yet
Lithuania	No update from Lithuania as yet
Luxembourg	No update from Luxembourg as yet
Malta	No update from Malta as yet
Netherlands	The Netherlands also plans to align with the Belgian roadmap from September in recognition of the cross-border nature of ecommerce. Soft declines of > €250 begin from 1 September 2020 Soft decline readiness is assessed through a questionnaire See more information from the Dutch Payments Association here
Poland	No update from Poland as yet
Portugal	No update from Portugal as yet
Romania	No update from Romania as yet
Slovakia	No update from Slovakia as yet
Slovenia	No update from Slovenia as yet
Spain	Bank of Spain is preparing for the 31 December 2020 deadline but has acknowledged that the market is not yet ready^[3]
Sweden	No update from Sweden as yet

Though now outside of EEA, the UK intends to follow SCA regulation:

United Kingdom

The UK’s Financial Conduct Authority (FCA) extended their deadline to 14 September 2021; see more on the FCA website

^{[1] Mastercard Academy, Christoph Baert (Senior Managing Counsel, Regulatory Affairs Europe), 12 August 2020}

^{[2] Mastercard Academy, Christoph Baert (Senior Managing Counsel, Regulatory Affairs Europe), 12 August 2020}

^{[3] Mastercard Academy, Christoph Baert (Senior Managing Counsel, Regulatory Affairs Europe), 12 August 2020}

European Commission update on SCA extension

Following written submissions to the European Commission, the Commission affirmed that the SCA deadline of December 2020 remains and will not be extended
All merchants should therefore be prepared for a full introduction of SCA on 1 January 2021
Executive Vice President of the Commission, Valdis Dombrovskis, responded to the extension request by acknowledging the challenges faced by businesses in adapting IT during this pandemic but said that SCA ‘has been known to the market since November 2017’ and therefore ample time has been provided to prepare
Crucially, Mr Dombrovskis stated: “the EBA has currently no intention to extend their validity… the Commission would not support any further delay in the full application of Strong Customer Authentication”
The Financial Conduct Authority (FCA) deadline of September 2021 remains unaffected by this ruling, and this will be applicable for domestic transactions in the UK only; cross border transactions will adhere to EBA guidelines
J.P. Morgan will continue to support merchants to be SCA-ready by December 2020. It is important to engage with us on this implementation to ensure compliance and prevent declines after this deadline
We remain in close contact with regulators and card schemes and will continue to update you as we receive further information

European Commission update on SCA extension

Following questions at a European Commission Roundtable on Wednesday 27 May, the Commission affirmed that the SCA deadline of December 2020 remains and they are not in favour of an extension
The EC deems SCA to be an important pillar of PDS2 and an essential rule within it, highlighting the increase in online payments during this pandemic and the increased need for combatting fraud as a result
In answering a question at the session, the European Commission attendees stated that there is no appetite in the EBA or EC for proceed with a further postponement
The EC also added that an extension of 15 months had already been granted, providing “more time to equip (merchants) and raise awareness and become SCA compatible”
While not a formal statement, this is a very good indication of a ruling at the next EBA meeting in June and merchants should therefore continue to prepare for the December deadline
The Financial Conduct Authority (FCA) deadline of September 2021 remains unaffected by this ruling, and this will be applicable for domestic transactions in the UK only; cross border transactions will adhere to EBA guidelines
J.P. Morgan will continue to support merchants to be SCA-ready by December 2020. It is important to engage with us on this implementation to ensure compliance and prevent declines after this deadline
We remain in close contact with regulators and card schemes and will continue to update you as we receive further information

Country by Country update

[Updated 12 September 2019]

Regulators across key EU markets have announced extensions to the implementation date for Strong Customer Authentication (SCA). (See below for country-by-country overview of announcements)
As a result, no enforcement action will be taken in these jurisdictions against firms that fail to meet SCA requirements by 14 September 2019. In the UK, the regulator has announced an 18 month extension, while in France the extension ranges from 15 months to June 2022 for complex cases. Other regulators have announced their intention to work with the EBA to agree a harmonised approach across the EU
The recent regulatory announcements are in response to the EBA opinion of 21 June 2019, which stated that national regulators could provide additional time to issuers and acquirers for the implementation of SCA.
The EBA is seeking detailed implementation and communication plans from issuers and acquirers on their readiness for SCA across Europe

Country-by-country announcements by national regulators:

Country	Announcement
AUSTRIA	On 19 August, the Austrian regulator announced that they would extend the deadline for implementing SCA until a joint new European deadline for implementation is agreed, most likely towards the end of September 2019.
BELGIUM	On 27 August, the Belgian regulator acknowledged the challenges for all e-commerce stakeholders in meeting the SCA deadline. They highlighted the need for all stakeholders to agree a plan to migrate to SCA as soon as reasonably possible after 14 September. Once this plan has been agreed, they will publish it on their website.
CYPRUS	On 2 September, the Cypriot regulator announced a limited, but undefined migration period for the implementation of SCA. Stakeholders will be informed in due course, following which issuers and acquirers will be expected to submit a detailed migration plan to the CBC.
DENMARK	On 4 September, the Danish regulator announced an 18-month extension to the SCA deadline. They expect all participants to be compliant by 14 March 2021 and to ensure they are on track to meet key milestones they will now agree with the market participants.
FINLAND	The Finish regulator announced on 5 September that they will not impose any sanctions on regulated entities who do not introduce SCA on 14 September. This will be a temporary measure and the timeframe will be decided in consultation with the EBA and other Member State regulators.
FRANCE	Banque de France has confirmed an extension to the transition period; for most online card payments, issuers will be given an additional 15 months beyond the September deadline, with a final deadline of June 2022 for more complex cases. (see p 11 of their report for the migration plan).
GERMANY	On 21 August, the German regulator announced a temporary delay to the implementation of SCA rules to give businesses more time to prepare. The duration of the delay will be defined following consultation with the EBA, other EU regulators and market participants.
GREECE	On 27 August, the Bank of Greece announced a phased period of implementation for SCA. Further details on time-frame for implementation will be announced in Q4 2019.
HUNGARY	The Hungarian regulator announced a 12-month extension to the deadline for e-commerce card transactions. Payment service providers availing of the extension will be required to submit migrations plans to the regulator.
IRELAND	On 8 August, the Central Bank of Ireland announced a limited migration period in relation to the application of SCA under PSD2. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU with further announcements to follow.
ITALY	On 1 August, the Italian regulator acknowledged the EBA opinion, announcing that they will grant a limited extension to the deadline for implementation of SCA. The timeframe for this extension is yet to be agreed.
LUXEMBOURG	On 30 August, the regulator in Luxembourg announced an extension to the deadline for implementation of SCA for e-commerce card transactions. Impacted stakeholders are required to inform the CSSF and submit a detailed migration plan. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU.
MALTA	On 14 August the Maltese regulator announced that it will not enforce SCA on September 14, providing there is evidence e-commerce institutions have taken steps to comply with agreed migration plans. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU.
THE NETHERLANDSs	On 8 August, the Dutch regulator announced that it will grant limited additional time for merchants and payment service providers to prepare for the introduction of SCA. They will work with the EBA and other banking authorities to agree a harmonised approach across the EU.
NORWAY	On 20 August the Norwegian regulator announced that they will grant an extension to parties who notify them by email to post@finanstilsynet.no. The email should contain the subject "extended deadline SKA-ITBET".
POLAND	On 19 August, the Polish regulator announced that no action will be taken against payment service providers who do not enforce SCA rules by the 14 September, providing they have submitted an appropriate ‘migration plan’. They will work with the EBA to define the timeline for introduction of SCA.
ROMANIA	As noted by the EBA on their website, Romania has not transposed the second Payment Services Directive into national law, so we anticipate BAU in Romania.
SLOVENIA	Following this notice of 11 July 2019, no further announcement is expected.
SPAIN	On 11 September, the Spanish regulator announced that they will grant an extended migration period, providing stakeholders have agreed migration plans with their national regulators. They have not announced a timeline for the extension.
SWEDEN	On 4 September, the Swedish regulator announced that they will not grant any transition period; the rules will start to apply on 14 September. They note that any payment service providers who require additional time to implement SCA for e-commerce card transactions should submit a detailed migration plan to them. This should be in line with the timetable they anticipate the EBA will provide later this year.
UNITED KINGDOM	On 13 August, the UK’s FCA announced that they will give the payments and e-commerce industry an additional 18-month plan to implement SCA.

Regulators announce SCA extensions

[Updated 28 August 2019 with latest announcements by national regulators]

Regulators across key EU markets have announced extensions to the implementation date for Strong Customer Authentication (SCA). (See below for country-by-country overview of announcements)
As a result, no enforcement action will be taken in these jurisdictions against firms that fail to meet SCA requirements by 14 September 2019. In the UK, the regulator has announced an 18 month extension, while in France the extension ranges from 15 months to June 2022 for complex cases. Other regulators have announced their intention to work with the EBA to agree a harmonised approach across the EU.
These regulatory announcements are in response to the EBA opinion of 21 June 2019, which stated that national regulators could provide additional time to issuers and acquirers for the implementation of SCA.
The EBA is seeking detailed implementation and communication plans from issuers and acquirers on their readiness for SCA across Europe.

Country-by-country announcements by national regulators:

Country	Announcement
AUSTRIA	On 19 August, the Austrian regulator announced that they would extend the deadline for implementing SCA until a joint new European deadline for implementation is agreed, most likely towards the end of September 2019.
FRANCE	Banque de France has confirmed an extension to the transition period; for most online card payments, issuers will be given an additional 15 months beyond the September deadline, with a final deadline of June 2022 for more complex cases. (see p 11 of their report for the migration plan).
GERMANY	On 21 August, the German regulator announced a temporary delay to the implementation of SCA rules to give businesses more time to prepare. The duration of the delay will be defined following consultation with the EBA, other EU regulators and market participants.
GREECE	On 27 August, the Bank of Greece announced a phased period of implementation for SCA. Further details on time-frame for implementation will be announced in Q4 2019.
IRELAND	On 8 August, the Central Bank of Ireland announced a limited migration period in relation to the application of SCA under PSD2. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU with further announcements to follow.
ITALY	On 1 August, the Italian regulator acknowledged the EBA opinion, announcing that they will grant a limited extension to the deadline for implementation of SCA. The timeframe for this extension is yet to be agreed.
MALTA	On 14 August the Maltese regulator announced that it will not enforce SCA on September 14, providing there is evidence e-commerce institutions have taken steps to comply with agreed migration plans. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU.
THE NETHERLANDS	On 8 August, the Dutch regulator announced that it will grant limited additional time for merchants and payment service providers to prepare for the introduction of SCA. They will work with the EBA and other banking authorities to agree a harmonised approach across the EU.
POLAND	On 19 August, the Polish regulator announced that no action will be taken against payment service providers who do not enforce SCA rules by the 14 September, providing they have submitted an appropriate ‘migration plan’. They will work with the EBA to define the timeline for introduction of SCA
UNITED KINGDOM	On 13 August, the UK’s FCA announced that they will give the payments and e-commerce industry an additional 18-month plan to implement SCA.

EBA opinion on SCA

EBA publishes an Opinion on the elements of strong customer authentication under PSD2¹

The European Banking Authority (EBA) published today an Opinion on the elements of strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). The Opinion is a response to continued queries from market actors as to which authentication approaches the EBA considers to be compliant with SCA. The Opinion also addresses concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements that apply as of 14 September 2019.

Today's Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant. The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.

The Opinion also responds to the concerns about market preparedness, by clarifying that the EBA is legally not able to postpone an application date that is set out in EU law. The Opinion also explains that sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in 2015, which gave clear indications that existing authentication approaches would need to be phased out, and because PSD2 already granted an additional 18-month period for the industry to implement SCA.

However, the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers (PSPs) and, therefore, not directly subject to PSD2 and the EBA's technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September 2019.

The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time. This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.

This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner.

In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.

Background

The revised Payment Services Directive was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.

SCA is defined in the Directive as an "authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data." The Directive also provides that SCA is to be applied to all electronic payments, unless one of the exemptions applies.

The EBA had been mandated to support the Directive by developing regulatory technical standards (RTS) setting out the details on strong customer authentication and common and secure communication (RTS on SCA and CSC), including its exemptions, and to regulate the access to customer payment account data held in account servicing payment service providers.

The RTS were developed in 2015/16, consulted on during 2016/17, adopted as Commission Delegated Regulation (EU) 2018/389 on 27 November 2017, published in the Official Journal on 13 March 2018, and will legally apply from 14 September 2019. The RTS deliberately refrains from referring to any particular authentication approaches in the industry, in order to ensure that the RTS remains technology neutral and future-proof.

Legal basis

The EBA issued the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.

^{1 Article reproduced from https://eba.europa.eu/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2 21 June 2019}

Strong Customer Authentication (SCA)

Are you ready? We can help