Latest SCA Updates

19/08/2020

As the SCA deadline nears, financial regulators in each EEA country are solidifying plans for their rollout. Below are the latest updates as of August 2020:

European Economic Area (EEA) Country	Update
Austria	According to Mastercard^[1] Austria is considering the approach by Germany’s Federal Financial Supervisory Authority (BaFin) on a progressive ramp up of SCA
Belgium	The Belgian Banking Association’s SCA ramp up plan was formally released to Belgian PSPs in mid-March 2020. A tiered approach to SCA (starting Q3 2020) has been agreed by the Belgian Central Bank A roadmap has been drafted by an industry task force (Belgian issuers, acquirers and the card schemes), in close coordination with the NCA (National Bank of Belgium) Progressive migration of merchants to 3DS and exemptions planned: 25% by 20 April 50% by 15 July 75% by 15 October In conjunction with this a soft decline will be implemented for non-compliant transactions, to prepare or warn merchants that compliance is required ahead of the December deadline Note: non-compliance means no SCA when needed, or not correctly flagged for exemption or exception Threshold for soft declines From 25 August the threshold for soft declines of non-compliant transactions is set at over €1500 euro From 22 September it will be €250 From 19 October it will be €30 From 17 November it will be €0 This plan will be closely monitored by the main Belgian card processor and a governance will be put in place to roll-back on a short notice if impact in the market is too big Also, worth noting that The Netherlands also plans to align with the Belgian roadmap from September in recognition of the cross-border nature of ecommerce
Bulgaria	No update from Bulgaria as yet
Croatia	No update from Croatia as yet
Cyprus	No update from Cyprus as yet
Czech Republic	No update from Czech Republic as yet
Denmark	Working towards 31 December 2020 deadline
Estonia	No update from Estonia as yet
Finland	No update from Finland as yet
France	Banque de France will provide additional flexibility until June 2021 Soft declines may be accelerated from September 2020, depending on market readiness
Germany	According to Mastercard, Germany’s Federal Financial Supervisory Authority (BaFin) is considering^[2] a progressive ramp up of up to 2.5 months with soft declines: 15 January 2021 – soft declines of transactions > €250 15 February 2021 – soft declines of transactions > €100 15 March 2021 – soft decline of all transactions
Greece	No update from Greece as yet
Hungary	No update from Hungary as yet
Ireland	Central Bank of Ireland will strictly enforce the EBA deadline from 1 January 2020
Italy	No update from Italy as yet
Latvia	No update from Latvia as yet
Lithuania	No update from Lithuania as yet
Luxembourg	No update from Luxembourg as yet
Malta	No update from Malta as yet
Netherlands	The Netherlands also plans to align with the Belgian roadmap from September in recognition of the cross-border nature of ecommerce. Soft declines of > €250 begin from 1 September 2020 Soft decline readiness is assessed through a questionnaire See more information from the Dutch Payments Association here
Poland	No update from Poland as yet
Portugal	No update from Portugal as yet
Romania	No update from Romania as yet
Slovakia	No update from Slovakia as yet
Slovenia	No update from Slovenia as yet
Spain	Bank of Spain is preparing for the 31 December 2020 deadline but has acknowledged that the market is not yet ready^[3]
Sweden	No update from Sweden as yet

Though now outside of EEA, the UK intends to follow SCA regulation:

United Kingdom

The UK’s Financial Conduct Authority (FCA) extended their deadline to 14 September 2021; see more on the FCA website

^{[1] Mastercard Academy, Christoph Baert (Senior Managing Counsel, Regulatory Affairs Europe), 12 August 2020}

^{[2] Mastercard Academy, Christoph Baert (Senior Managing Counsel, Regulatory Affairs Europe), 12 August 2020}

^{[3] Mastercard Academy, Christoph Baert (Senior Managing Counsel, Regulatory Affairs Europe), 12 August 2020}

6/17/2020

European Commission update on SCA extension

Following written submissions to the European Commission, the Commission affirmed that the SCA deadline of December 2020 remains and will not be extended
All merchants should therefore be prepared for a full introduction of SCA on 1 January 2021
Executive Vice President of the Commission, Valdis Dombrovskis, responded to the extension request by acknowledging the challenges faced by businesses in adapting IT during this pandemic but said that SCA ‘has been known to the market since November 2017’ and therefore ample time has been provided to prepare
Crucially, Mr Dombrovskis stated: “the EBA has currently no intention to extend their validity… the Commission would not support any further delay in the full application of Strong Customer Authentication”
The Financial Conduct Authority (FCA) deadline of September 2021 remains unaffected by this ruling, and this will be applicable for domestic transactions in the UK only; cross border transactions will adhere to EBA guidelines
J.P. Morgan will continue to support merchants to be SCA-ready by December 2020. It is important to engage with us on this implementation to ensure compliance and prevent declines after this deadline
We remain in close contact with regulators and card schemes and will continue to update you as we receive further information

5/27/2020

European Commission update on SCA extension

Following questions at a European Commission Roundtable on Wednesday 27 May, the Commission affirmed that the SCA deadline of December 2020 remains and they are not in favour of an extension
The EC deems SCA to be an important pillar of PDS2 and an essential rule within it, highlighting the increase in online payments during this pandemic and the increased need for combatting fraud as a result
In answering a question at the session, the European Commission attendees stated that there is no appetite in the EBA or EC for proceed with a further postponement
The EC also added that an extension of 15 months had already been granted, providing “more time to equip (merchants) and raise awareness and become SCA compatible”
While not a formal statement, this is a very good indication of a ruling at the next EBA meeting in June and merchants should therefore continue to prepare for the December deadline
The Financial Conduct Authority (FCA) deadline of September 2021 remains unaffected by this ruling, and this will be applicable for domestic transactions in the UK only; cross border transactions will adhere to EBA guidelines
J.P. Morgan will continue to support merchants to be SCA-ready by December 2020. It is important to engage with us on this implementation to ensure compliance and prevent declines after this deadline
We remain in close contact with regulators and card schemes and will continue to update you as we receive further information

9/12/2019

[Updated 12 September 2019]

Regulators across key EU markets have announced extensions to the implementation date for Strong Customer Authentication (SCA). (See below for country-by-country overview of announcements)
As a result, no enforcement action will be taken in these jurisdictions against firms that fail to meet SCA requirements by 14 September 2019. In the UK, the regulator has announced an 18 month extension, while in France the extension ranges from 15 months to June 2022 for complex cases. Other regulators have announced their intention to work with the EBA to agree a harmonised approach across the EU
The recent regulatory announcements are in response to the EBA opinion of 21 June 2019, which stated that national regulators could provide additional time to issuers and acquirers for the implementation of SCA.
The EBA is seeking detailed implementation and communication plans from issuers and acquirers on their readiness for SCA across Europe

Country-by-country announcements by national regulators:

Country	Announcement
AUSTRIA	On 19 August, the Austrian regulator announced that they would extend the deadline for implementing SCA until a joint new European deadline for implementation is agreed, most likely towards the end of September 2019.
BELGIUM	On 27 August, the Belgian regulator acknowledged the challenges for all e-commerce stakeholders in meeting the SCA deadline. They highlighted the need for all stakeholders to agree a plan to migrate to SCA as soon as reasonably possible after 14 September. Once this plan has been agreed, they will publish it on their website.
CYPRUS	On 2 September, the Cypriot regulator announced a limited, but undefined migration period for the implementation of SCA. Stakeholders will be informed in due course, following which issuers and acquirers will be expected to submit a detailed migration plan to the CBC.
DENMARK	On 4 September, the Danish regulator announced an 18-month extension to the SCA deadline. They expect all participants to be compliant by 14 March 2021 and to ensure they are on track to meet key milestones they will now agree with the market participants.
FINLAND	The Finish regulator announced on 5 September that they will not impose any sanctions on regulated entities who do not introduce SCA on 14 September. This will be a temporary measure and the timeframe will be decided in consultation with the EBA and other Member State regulators.
FRANCE	Banque de France has confirmed an extension to the transition period; for most online card payments, issuers will be given an additional 15 months beyond the September deadline, with a final deadline of June 2022 for more complex cases. (see p 11 of their report for the migration plan).
GERMANY	On 21 August, the German regulator announced a temporary delay to the implementation of SCA rules to give businesses more time to prepare. The duration of the delay will be defined following consultation with the EBA, other EU regulators and market participants.
GREECE	On 27 August, the Bank of Greece announced a phased period of implementation for SCA. Further details on time-frame for implementation will be announced in Q4 2019.
HUNGARY	The Hungarian regulator announced a 12-month extension to the deadline for e-commerce card transactions. Payment service providers availing of the extension will be required to submit migrations plans to the regulator.
IRELAND	On 8 August, the Central Bank of Ireland announced a limited migration period in relation to the application of SCA under PSD2. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU with further announcements to follow.
ITALY	On 1 August, the Italian regulator acknowledged the EBA opinion, announcing that they will grant a limited extension to the deadline for implementation of SCA. The timeframe for this extension is yet to be agreed.
LUXEMBOURG	On 30 August, the regulator in Luxembourg announced an extension to the deadline for implementation of SCA for e-commerce card transactions. Impacted stakeholders are required to inform the CSSF and submit a detailed migration plan. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU.
MALTA	On 14 August the Maltese regulator announced that it will not enforce SCA on September 14, providing there is evidence e-commerce institutions have taken steps to comply with agreed migration plans. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU.
THE NETHERLANDSs	On 8 August, the Dutch regulator announced that it will grant limited additional time for merchants and payment service providers to prepare for the introduction of SCA. They will work with the EBA and other banking authorities to agree a harmonised approach across the EU.
NORWAY	On 20 August the Norwegian regulator announced that they will grant an extension to parties who notify them by email to post@finanstilsynet.no. The email should contain the subject "extended deadline SKA-ITBET".
POLAND	On 19 August, the Polish regulator announced that no action will be taken against payment service providers who do not enforce SCA rules by the 14 September, providing they have submitted an appropriate ‘migration plan’. They will work with the EBA to define the timeline for introduction of SCA.
ROMANIA	As noted by the EBA on their website, Romania has not transposed the second Payment Services Directive into national law, so we anticipate BAU in Romania.
SLOVENIA	Following this notice of 11 July 2019, no further announcement is expected.
SPAIN	On 11 September, the Spanish regulator announced that they will grant an extended migration period, providing stakeholders have agreed migration plans with their national regulators. They have not announced a timeline for the extension.
SWEDEN	On 4 September, the Swedish regulator announced that they will not grant any transition period; the rules will start to apply on 14 September. They note that any payment service providers who require additional time to implement SCA for e-commerce card transactions should submit a detailed migration plan to them. This should be in line with the timetable they anticipate the EBA will provide later this year.
UNITED KINGDOM	On 13 August, the UK’s FCA announced that they will give the payments and e-commerce industry an additional 18-month plan to implement SCA.

8/28/2019

[Updated 28 August 2019 with latest announcements by national regulators]

Regulators across key EU markets have announced extensions to the implementation date for Strong Customer Authentication (SCA). (See below for country-by-country overview of announcements)
As a result, no enforcement action will be taken in these jurisdictions against firms that fail to meet SCA requirements by 14 September 2019. In the UK, the regulator has announced an 18 month extension, while in France the extension ranges from 15 months to June 2022 for complex cases. Other regulators have announced their intention to work with the EBA to agree a harmonised approach across the EU.
These regulatory announcements are in response to the EBA opinion of 21 June 2019, which stated that national regulators could provide additional time to issuers and acquirers for the implementation of SCA.
The EBA is seeking detailed implementation and communication plans from issuers and acquirers on their readiness for SCA across Europe.

Country-by-country announcements by national regulators:

Country	Announcement
AUSTRIA	On 19 August, the Austrian regulator announced that they would extend the deadline for implementing SCA until a joint new European deadline for implementation is agreed, most likely towards the end of September 2019.
FRANCE	Banque de France has confirmed an extension to the transition period; for most online card payments, issuers will be given an additional 15 months beyond the September deadline, with a final deadline of June 2022 for more complex cases. (see p 11 of their report for the migration plan).
GERMANY	On 21 August, the German regulator announced a temporary delay to the implementation of SCA rules to give businesses more time to prepare. The duration of the delay will be defined following consultation with the EBA, other EU regulators and market participants.
GREECE	On 27 August, the Bank of Greece announced a phased period of implementation for SCA. Further details on time-frame for implementation will be announced in Q4 2019.
IRELAND	On 8 August, the Central Bank of Ireland announced a limited migration period in relation to the application of SCA under PSD2. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU with further announcements to follow.
ITALY	On 1 August, the Italian regulator acknowledged the EBA opinion, announcing that they will grant a limited extension to the deadline for implementation of SCA. The timeframe for this extension is yet to be agreed.
MALTA	On 14 August the Maltese regulator announced that it will not enforce SCA on September 14, providing there is evidence e-commerce institutions have taken steps to comply with agreed migration plans. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU.
THE NETHERLANDS	On 8 August, the Dutch regulator announced that it will grant limited additional time for merchants and payment service providers to prepare for the introduction of SCA. They will work with the EBA and other banking authorities to agree a harmonised approach across the EU.
POLAND	On 19 August, the Polish regulator announced that no action will be taken against payment service providers who do not enforce SCA rules by the 14 September, providing they have submitted an appropriate ‘migration plan’. They will work with the EBA to define the timeline for introduction of SCA
UNITED KINGDOM	On 13 August, the UK’s FCA announced that they will give the payments and e-commerce industry an additional 18-month plan to implement SCA.

6/21/2019

EBA publishes an Opinion on the elements of strong customer authentication under PSD2¹

The European Banking Authority (EBA) published today an Opinion on the elements of strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). The Opinion is a response to continued queries from market actors as to which authentication approaches the EBA considers to be compliant with SCA. The Opinion also addresses concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements that apply as of 14 September 2019.

Today's Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant. The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.

The Opinion also responds to the concerns about market preparedness, by clarifying that the EBA is legally not able to postpone an application date that is set out in EU law. The Opinion also explains that sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in 2015, which gave clear indications that existing authentication approaches would need to be phased out, and because PSD2 already granted an additional 18-month period for the industry to implement SCA.

However, the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers (PSPs) and, therefore, not directly subject to PSD2 and the EBA's technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September 2019.

The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time. This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.

This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner.

In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.

Background

The revised Payment Services Directive was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.

SCA is defined in the Directive as an "authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data." The Directive also provides that SCA is to be applied to all electronic payments, unless one of the exemptions applies.

The EBA had been mandated to support the Directive by developing regulatory technical standards (RTS) setting out the details on strong customer authentication and common and secure communication (RTS on SCA and CSC), including its exemptions, and to regulate the access to customer payment account data held in account servicing payment service providers.

The RTS were developed in 2015/16, consulted on during 2016/17, adopted as Commission Delegated Regulation (EU) 2018/389 on 27 November 2017, published in the Official Journal on 13 March 2018, and will legally apply from 14 September 2019. The RTS deliberately refrains from referring to any particular authentication approaches in the industry, in order to ensure that the RTS remains technology neutral and future-proof.

Legal basis

The EBA issued the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.

^{1 Article reproduced from https://eba.europa.eu/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2 21 June 2019}

Strong Customer Authentication (SCA)

Are you ready? We can help

Latest Updates

August 2020

June 2020

European Commission update on SCA extension

May 2020

European Commission update on SCA extension

September 2019

August 2019

June 2019

EBA publishes an Opinion on the elements of strong customer authentication under PSD2¹

You're now leaving J.P. Morgan

Already an Existing Customer?

Existing Merchant Service Customers

Connectivity

Processing

Security

Insights

Careers

JPMorgan Chase sites

Strong Customer Authentication (SCA)

Are you ready? We can help

Latest Updates

August 2020

June 2020

European Commission update on SCA extension

May 2020

European Commission update on SCA extension

September 2019

August 2019

June 2019

EBA publishes an Opinion on the elements of strong customer authentication under PSD21

Already an Existing Customer?

Existing Merchant Service Customers

Connectivity

Processing

Security

Insights

Careers

JPMorgan Chase sites

EBA publishes an Opinion on the elements of strong customer authentication under PSD2¹