Please update your browser.
Strong Customer Authentication (SCA)
Are you ready? We can help
May 2021
The UK financial regulator, the Financial Conduct Authority (FCA), has announced an additional six-month extension to the deadline for Strong Customer Authentication (SCA). While ramp up will continue from 1 June 2021, full compliance for UK transactions is not expected until 14 March 2022.
The risk of hard declines persists from 1 June, so it is important to ensure that you are 3DS enabled and to be coded for exemptions.
You can read the full revised plan from UK Finance here
April 2021
UK Finance has issued an update due to concerns on the lack of clarity for GDPR and behavioural biometrics. The Financial Conduct Authority (FCA) is allowing issuers to utilise 3DS profiling data, along with One Time Password SMS, as two independent authentication factors until 14 September 2021.
See more here
February 2021
Following the January 2021 deadline, countries and regulators have been ramping up. Below is the latest update, as of February 2021… |
Country |
January 2021 |
February 2021 |
March 2021 |
April 2021 |
Austria |
The NCA also informed about some flexibility in practice. The FMA will check banks’ compliance as from 15 January 2021 for payments above 250 euros, as from 15 February 2021 above 150 euros and as from 15 March 2021 or all payments. |
The NCA also informed about some flexibility in practice. The FMA will check banks’ compliance as from 15 January 2021 for payments above 250 euros, as from 15 February 2021 above 150 euros and as from 15 March 2021 or all payments. |
The NCA also informed about some flexibility in practice. The FMA will check banks’ compliance as from 15 January 2021 for payments above 250 euros, as from 15 February 2021 above 150 euros and as from 15 March 2021 or all payments. |
Full Compliance |
Belgium |
Ramp Up: As from Tuesday 19 January 2021 All transactions above 1.500€ |
Ramp Up: As from Tuesday 23 February 2021: All transactions above 500€ |
Ramp Up: As from Tuesday 23 March 2021: All transactions above 250€ |
Ramp Up: As from Monday 19 April 2021: All transactions above 100 |
Bulgaria |
Full Compliance |
|
|
|
Croatia |
Full Compliance |
|
|
|
Cyprus |
Full Compliance |
|
|
|
Czech Republic |
Full Compliance |
|
|
|
Denmark |
Full Compliance from January 11th |
|
|
|
Estonia |
Full Compliance |
|
|
|
Finland |
Full Compliance |
|
|
|
France |
January 2021 - Soft decline of transactions > EUR 1,000. |
Mid-February 2021 - Soft decline of transactions > EUR 500. |
Mid-February 2021 - Soft decline of transactions > EUR 500. |
April 2021 - Progressive soft decline of transactions < EUR 500 |
Germany |
BaFin has confirmed the 31 December 2020 deadline for SCA implementation. BaFin will check banks’ compliance beginning 15 January 2021 for payments above 250 euros, above 150 euros beginning 15 February and for all payments beginning 15 March. |
BaFin has confirmed the 31 December 2020 deadline for SCA implementation. BaFin will check banks’ compliance beginning 15 January 2021 for payments above 250 euros, above 150 euros beginning 15 February and for all payments beginning 15 March. |
BaFin has confirmed the 31 December 2020 deadline for SCA implementation. BaFin will check banks’ compliance beginning 15 January 2021 for payments above 250 euros, above 150 euros beginning 15 February and for all payments beginning 15 March. |
Full Compliance |
Greece |
Full Compliance |
|
|
|
Hungary |
Full Compliance |
|
|
|
Iceland |
Full Compliance |
|
|
|
Ireland |
20th Jan - transactions over 500eur - https://bpfi.ie/wp-content/uploads/2020/12/SCA-Ramp-Up-Approach-Final-8th-Dec-Clean-.pdf |
20th Jan - transactions over 500eur - https://bpfi.ie/wp-content/uploads/2020/12/SCA-Ramp-Up-Approach-Final-8th-Dec-Clean-.pdf |
1st March - transactions over 250eur - https://bpfi.ie/wp-content/uploads/2020/12/SCA-Ramp-Up-Approach-Final-8th-Dec-Clean-.pdf |
Full Compliance |
Italy |
Ramp Up: January 1, 2021: SCA to be enforced only for transactions > EUR 1,000 |
Ramp Up: February 1, 2021: SCA to be enforced only for transactions > EUR 500 |
Ramp Up: March 1, 2021: SCA to be enforced only for transactions > EUR 100 |
Full Compliance |
Latvia |
Full Compliance |
|
|
|
Liechtenstein |
Full Compliance |
|
|
|
Lithuania |
In January a payment service provider may omit SCA for online card payments under €500 |
In January a payment service provider may omit SCA for online card payments under €250 |
In January a payment service provider may omit SCA for online card payments under €100 |
Full Compliance |
Luxembourg |
Full Compliance |
|
|
|
Malta |
Full Compliance |
|
|
|
Netherlands |
The Dutch industry agreed on the following revised ramp-up plan with soft decline until March 16, 2021: |
The Dutch industry agreed on the following revised ramp-up plan with soft decline until March 16, 2021: |
The Dutch industry agreed on the following revised ramp-up plan with soft decline until March 16, 2021: |
Full Compliance |
Norway |
Full Compliance |
|
|
|
Poland |
Full Compliance |
|
|
|
Portugal |
Full Compliance |
|
|
|
Romania |
Full Compliance |
|
|
|
Slovakia |
Full Compliance |
|
|
|
Slovenia |
Full Compliance |
|
|
|
Spain |
Enforcement of SCA for all transactions with card as long as authentication is present (on any version of 3DS). In the case of none of the 3DS versions presented at transaction, transactions from 30EUR and under 250EUR will be authorised (or not) only based on issuer decision. If the transaction is authorized it will be presumed that risk analysis exemption was applied (that will influence reporting and any future liability of the transaction). This will end on 31st January 2021. |
For transactions below 30EUR conditions will be same as above and this agreement will not be extended further of Feb 2021 |
|
|
Sweden |
Full Compliance from January 14th |
|
|
|
UK |
N/A |
N/A |
N/A |
N/A |
January 2021
- The rate of fully authenticated transactions we are seeing remains low and, based on our intelligence, we anticipate a gradual increase over Q1 2021.
- In line with expectations, there is an increase in soft declines and challenges for Denmark and Austria since 10 January, but overall challenge levels remain low across all countries.
- Increased declines based on Country thresholds are expected to align to SCA ramp-up dates:
- 11 January – Denmark
- 14 January – Sweden
- 15 January – Germany and Austria
- 20 January – Ireland
- Countries reporting a week-on-week increase in SCA authorisation soft declines (up to 12 January) are:
- Bulgaria, Finland, Romania, Germany, Italy, Spain, Sweden, Hungary, Denmark & Austria – overall the numbers remain low
- Data Analysis is also showing a minor increase in soft declines requiring SCA across smaller ecommerce countries (Finland, Norway, Belgium, Poland, Lithuania and Estonia)
Our recommendation remains to implement and test 3DS on your site as soon as possible to ensure you are SCA ready when countries start to ramp up their challenges.
December 2020
- The rate of fully authenticated transactions we are seeing remains low, and based on our intelligence we do not envisage a material increase in fully authenticated transactions before 1 January 2021, with a gradual increase anticipated over Q1 2021.
- To date, some of the largest ecommerce markets such as the UK, France, Germany, Italy, Belgium and Ireland have announced collective migration plans stretching into Q1/Q2 2021. Limited SCA authorisation soft decline testing by issuers can be expected in these regions.
- Spain remains one of the largest ecommerce markets yet to announce a collective migration plan or readiness update. Banco de España noted at an industry meeting that only 47% of cards were enrolled for 3DS in July 2020.
- Countries reporting a week-on-week increase in SCA authorisation soft declines for the week ending 12 December are:
- Bulgaria, Finland, Romania and Sweden – overall the numbers remain low
- Our recommendation remains to implement and test 3DS on your site as soon as possible to ensure you are SCA-ready when countries start to ramp up their challenges.
- As of 9 December, there has been a slight increase in SCA authorisation soft declines. Country summaries to note:
- Bulgaria, Belgium, France, Germany and Sweden - numbers still very small and limited to a few issuers
- Italy, Romania and Czech Republic - intermittent, most likely due to testing by Issuers
- Week-on-week market trends are showing a slight increase in successful 3DS transactions driven by higher levels of fully authenticated ECI 5 transactions, as well as higher volumes of merchants presenting successful 3DS transactions
The final version of the Irish ramp up plan has been published: www.mypsd2.ie
- As of 28 November, no material increase in SCA authorisation soft declines
- Week-on-week market trends are showing an increase in successful 3DS transactions, driven by higher levels of fully authenticated ECI 5 transactions, as well as higher volumes of merchants presenting successful 3DS transactions
- Countries reporting a week on week increase in SCA authorisation soft declines for the week ending 28 November are:
- Belgium, France, Poland and Romania - numbers still very small and limited to a few issuers
- Germany, Austria and Czech Republic - intermittent, most likely due to testing by Issuers
November 2020
UK Finance has published the full and final SCA implementation roadmap for SCA, highlighting UK-only activities and merchant readiness.
The full plan can be accessed here.
Mastercard has advised that at the European Payment Institutions Federation (EPIF) annual conference on 19 November, the EBA publicly reiterated that it will not extend the SCA transition period beyond December 31, 2020 (for EEA regions) - nor would the EBA provide further flexibility for the T&E sector.
Mastercard has noted that as the EBA’s position has been clear for some time, this is not unexpected.
Please find below further details provided by Mastercard regarding the statements made by the EBA at the EPIF conference:
- No extension of December 31, 2020 deadline. Although the EBA is aware of the industries lack of readiness, their view is that the industry has had sufficient time to prepare. The SCA requirements have been known to the market since 2015 when PSD2 was published. The industry has already been granted a 15-month extension.
- National Competent Authorities (NCAs or regulators) providing further flexibility are violating PSD2. Any additional flexibility granted at national level after December 31, 2020 is contrary to the PSD2. PSPs not complying with the PSD2 SCA requirements will be in violation of the law. The EBA will closely monitor enforcement of the SCA provisions by the NCA during 2021.
- ‘Soft-decline is a smart idea but too late’. The EBA recognizes that soft-decline is a smart idea, but it should have started several months ago.
- T&E sector should also comply by 31 December, 2020. The EBA was already made aware 18 months ago of the technical complexities to implement SCA requirements for the T&E sector. Nonetheless, since Covid-19 significantly reduced travel operations, this could have been a good time to adapt the T&E infrastructure to the new SCA requirements.
- If cards do not work, other payment instruments should be used. If merchants see that card payments do not work/operate outside of the law, they can/should switch to competing payments that are SCA compliant (e.g., PISP payments via ACH, SDD). PISPs have complained to the EBA that no favourable treatment in the form of flexibility should be granted to cards payments.
- To date up to 21 November 2020 no material increase in SCA declines
- Week on week market trends are showing an increase in successful 3DS transactions driven by increased volumes of merchants presenting successful 3DS transactions, as well as an increase in fully authenticated ECI 5 transactions
- Countries reporting a week on week increase in SCA soft declines for the week ending 21st Nov are:
- Belgium, France and Romania: numbers still very small and limited to a few issuers
- Germany and Denmark: intermittent SCA declines, most likely due to testing
As the SCA deadline nears, financial regulators in each EEA country are solidifying plans for their rollout. Below are the latest updates as of November 2020:
European Economic Area (EEA) Country |
Update |
Austria |
No update since September |
Belgium |
The National Bank of Belgium (NBB) expects the industry to be fully compliant with SCA by the EBA deadline of 31 December, 2020. Belgium adopted a collective migration plan providing the following milestones:
T&E transactions and EEA-UK transactions are excluded from soft decline. The NBB stated that they did not mandate soft decline. It is up to the industry to apply soft decline based on the Belgian migration plan. |
Bulgaria |
The Bulgarian National Bank (BNB) will officially maintain the 31 December 31, 2020 deadline. |
Croatia | No update from Croatia as yet |
Cyprus | No update from Cyprus as yet |
Czech Republic | The Czech National Bank (CNB) position is the following:
|
Denmark | The Finanstilsynet (Danish Financial Supervisory Authority, FSA) announced that they will ensure flexibility for SCA until 11 January, 2021 to avoid disruptions during holiday season. |
Estonia | No update from Estonia as yet |
Finland | No update from Finland as yet |
France | On July 1, 2020, Banque de France issued a press release:
On September 22, 2020, Banque de France published its 2019 Annual Report with a ramp-up plan and updates on SCA readiness. Recognising the efforts of all stakeholders to migrate to solutions compliant with PSD2 RTS and the Covid-19 impact, Banque de France has announced a progressive enforcement of SCA until the end of June 2021. Flexibility will be offered in terms of:
In parallel, to accelerate the market readiness, Banque de France has also announced a progressive ramp up with soft decline with immediate effect. 1. Cardholder enrollment on 2FA solutions
2. Share of in scope ecommerce volumes authenticated or exempted
3. Progressive ramp-up with soft declines
4. Banque de France recognizes that, despite Covid-19 slowed-down migration, the industry is making significant progress
|
Germany | According to Mastercard, Germany’s Federal Financial Supervisory Authority (BaFin) will maintain the EBA deadline of 31 December 2020. BaFin however considered the following progressive (2.5-month) ramp-up with soft decline:
|
Greece | Bank of Greece sent an email to Greek banks3 stating that they will not provide an extension to the EBA deadline of 31 December, 2020. |
Hungary | Magyar Nemzeti Bank (MNB) favours4 a harmonized European approach and will probably stick to the current deadline of December 31, 2020. |
Iceland | No update from Iceland as yet |
Ireland | No update since September |
Italy | Bank of Italy asked the industry to accelerate SCA migration. During its meeting with industry on 9 November, 2020, Bank of Italy agreed5 to an industry ramp-up plan in accordance with the following milestones:
The ramp-up would apply only to domestic transactions. Bank of Italy is considering excluding the Travel and Hospitality sector from the ramp-up. Bank of Italy will shortly issue a statement to provide legal certainty to the market. This will help to avoid that issuers decline transactions below the thresholds. |
Latvia | No update from Latvia as yet |
Lithuania | No update from Lithuania as yet |
Luxemboug | Banque Centrale du Luxembourg and Commission de Surveillance du Secteur Financier (CSSF) is assessing the situation and closely looks at what is happening in other countries. |
Malta | No update from Malta as yet |
Netherlands | The Netherlands adopted a collective migration plan providing the following milestones:
On 15 September, 2020, the Dutch Payments Association (BVN) published a press release stating that:
NL has done a first limited try-out of ramp-up. Results are being analyzed. See more information from the Dutch Payments Association here |
Norway | No update from Norway as yet |
Poland | According to the Polish Banks Association (PBA)6, banks would be ready by the end of the year. |
Portugal | Banco de Portugal currently requires compliance with SCA by the EBA deadline of 31 December, 2020. However, they are monitoring the system closely and do not rule out a reassessment of the decision if necessary7. September is a key month as the status of the national migration plan will be assessed. |
Romania | Banca Natională a României (BNR) based on their monitoring and migration plans, does not see a further delay as beneficial for Romanian industry8. |
Slovakia | No update from Slovakia as yet |
Slovenia | Central Bank of Slovenia favors a harmonized European approach. They will therefore reach out to the EBA and the NCAs to try and achieve alignment. They welcome any data and insights from industry. The Slovenian Banking Association sent a letter to the Central Bank, lobbying for additional 3 months of ramp-up. |
Spain | Banco de España expects all actors to accelerate SCA migration in September-October, so they are relatively optimistic about meeting the deadline for the implementation of SCA. During the meeting between Banco the España and the industry of 9 October, 2020:
During its meeting with industry at the beginning of July, Banco de España:
|
Sweden | No update from Sweden as yet. |
Though now outside of EEA, the UK intends to follow SCA regulation:
United Kingdom |
The UK FCA extended the SCA transition period for e-commerce by a further 6 months (i.e., until September 14, 2021) due to Covid-19. UK Finance has made the necessary adjustments to its SCA migration plan. UK Finance migration plan now provides the following milestones:
UKF will be conducting a detailed issuer readiness survey. See more on the FCA website |
- To date in November, we are not seeing any material increase in SCA declines
- Countries where we are seeing a slight week on week increase in SCA declines are:
- Netherlands: limited to one issuer and confirmed as participating in coordinated testing
- Belgium, Romania and Poland: numbers still very small and limited to a few issuers
- We will continue to monitor issuer SCA declines as the various country by country collective migration plans come into effect.
October 2020
The Danish FSA has released an update stating their new SCA readiness date, which is now 11 January 2021
https://www.finanstilsynet.dk/Nyheder-og-Presse/Pressemeddelelser/2020/Sikkerhed_netbutikker_211020
See below translation:
Commission Delegated Regulation (EU) 2018/389 by 27. The commission's proposal for a directive on the use of the euro is to be applied in accordance with the principle of non-compliance with the directive on the use of the euro and its own.
The plans mean that during October 2020 2020 should start using the new IT solutions to be sure to avoid rejected card payments. The rules take effect 1. January 2021, but already the online stores should get ready for the new rules.
European regulators have set a common implementation period with one deadline for enforcing the new strong customer authentication rules for e-commerce card payments on 1. January 2021. The goal of the implementation period is to avoid major disruptions in e-commerce. This means that from 1., all card issuers (typically financial institutions) and card acquirers in the EU From 1 January 2021 shall, as a rule, reject card payments in online stores that are not approved with strong customer authentication. The common European deadline means that there will be a level playing field for all card issuers, card acquirers and online shops across the EU.
In order to ensure a stable payment settlement over the year and to avoid operational disruption to Christmas trading, the FSA will exceptionally accept that strong customer authentication is applied in practice to all payments by 11. January 2021. This means that the Danish FSA expects banks and other card issuers to use 11. at the latest From January 1, 2021 begins to reject card payments that are not properly approved with strong customer authentication. However, the FSA stresses that the requirement of strong customer authentication has been in force since 14. September 2019.
In view of the long time that the sector and retailers have had to put in place, the FSA finds it regrettable that a comprehensive solution cannot be fully ready for 1. January 2021, without this could present significant challenges to the deal for the remainder of 2020. The FSA has therefore found reason to stress the requirements for both the sector and the retail sector, and the supervisory authority expects to follow up on supervisory efforts at the beginning of 2021.
September 2020
As the SCA deadline nears, financial regulators in each EEA country are solidifying plans for their rollout. Below are the latest updates as of September 2020:
European Economic Area (EEA) Country |
Update |
Austria |
According to Mastercard2 Austria is considering the approach by Germany’s Federal Financial Supervisory Authority (BaFin) on a progressive ramp up of SCA |
Belgium |
The Belgian Banking Association’s SCA ramp up plan was formally released to Belgian PSPs in mid-March 2020. National Bank of Belgium (NBB) expects the industry to be fully compliant with SCA by the EBA deadline of December 31, 2020. Belgium’s plan includes the following milestones:
T&E transactions and EEA-UK transactions are excluded from soft decline. The NBB:
Further update expected in November |
Bulgaria |
The Bulgarian National Bank (BNB) has a firm position to observe the December 31, 2020 deadline[1]. They expect that there will be more intensive preparation in Q3 2020 and closer to the deadline. |
Croatia | No update from Croatia as yet |
Cyprus | No update from Cyprus as yet |
Czech Republic | Mastercard[2] expects that the Czech National Bank will be complaint with the 31 December deadline |
Denmark | The Finanstilsynet (Danish Financial Supervisory Authority, FSA) believes that it is important to stick to a common European deadline to ensure a harmonized approach[3]. As of now, they are therefore continuing with the previously announced deadlines. However, they will revisit their deadlines should an agreement at the European level be reached to postpone SCA enforcement. |
Estonia | No update from Estonia as yet |
Finland | No update from Finland as yet |
France | On July 1, 2020, Banque de France issued a press release:
On September 22, 2020, Banque de France published its 2019 Annual Report with a ramp-up plan and updates on SCA readiness. Recognizing the efforts of all stakeholders to migrate to solutions compliant with PSD2 RTS and the Covid-19 impact, Banque de France has announced a progressive enforcement of SCA until the end of June 2021. Flexibility will be offered in terms of:
In parallel, to accelerate the market readiness, Banque de France has also announced a progressive ramp up with soft decline with immediate effect. 1. Cardholder enrollment on 2FA solutions
2. Share of in scope ecommerce volumes authenticated or exempted
3. Progressive ramp-up with soft declines
4. Banque de France recognizes that, despite Covid-19 slowed-down migration, the industry is making significant progress
|
Germany | According to Mastercard, Germany’s Federal Financial Supervisory Authority (BaFin) is considering[4] a progressive ramp up of up to 2.5 months with soft declines:
|
Greece | Bank of Greece is in favor of the extension of SCA transition and expressed its view at EBA level. However, they acknowledged that discussions at EBA level have reached a deadlock.[5] |
Hungary | Magyar Nemzeti Bank (MNB) favours a harmonized European approach and is expected to comply with the current deadline of December 31, 2020[6]. |
Iceland | No update from Iceland as yet |
Ireland | Central Bank of Ireland will strictly enforce the EBA deadline from 1 January 2021 |
Italy | Bank of Italy is in favour of a sensible approach to SCA transition and is interested in the solutions other major Member States are adopting (e.g., progressive ramp-up with soft declines).[7] |
Latvia | No update from Latvia as yet |
Lithuania | No update from Lithuania as yet |
Luxembourg | No update from Luxembourg as yet |
Malta | No update from Malta as yet |
Netherlands | The Netherlands adopted a collective migration plan providing the following milestones:
On September 15, 2020, the Dutch Payments Association (BVN) published a press release stating that:
See more information from the Dutch Payments Association here |
Poland | According to the Polish Banks Association (PBA)[8], banks would be ready by the end of the year. |
Portugal | Banco de Portugal currently requires strict compliance with SCA by the EBA deadline of December 31, 2020. However, they are monitoring the system closely and do not rule out a reassessment of the decision if necessary. September is a key month as the status of the national migration plan will be assessed. |
Romania | Banca Natională a României (BNR) based on their monitoring and migration plans, does not see a further delay as beneficial for Romanian industry[9]. |
Slovakia | No update from Slovakia as yet |
Slovenia | Central Bank of Slovenia favors a harmonized European approach. They will therefore reach out to the EBA and the NCAs to try and achieve alignment. They welcome any data and insights from industry. The Slovenian Banking Association sent a letter to the Central Bank, lobbying for additional 3 months of ramp-up. |
Spain | Banco de España expects all actors to accelerate SCA migration in September-October, so they are relatively optimistic about meeting the deadline for the implementation of SCA.[10] During its meeting with industry at the beginning of July, Banco de España:
|
Sweden | No update from Sweden as yet. |
August 2020
As the SCA deadline nears, financial regulators in each EEA country are solidifying plans for their rollout. Below are the latest updates as of August 2020:
European Economic Area (EEA) Country |
Update |
Austria |
According to Mastercard[1] Austria is considering the approach by Germany’s Federal Financial Supervisory Authority (BaFin) on a progressive ramp up of SCA
|
Belgium |
The Belgian Banking Association’s SCA ramp up plan was formally released to Belgian PSPs in mid-March 2020.
|
Bulgaria |
No update from Bulgaria as yet |
Croatia |
No update from Croatia as yet |
Cyprus |
No update from Cyprus as yet |
Czech Republic |
No update from Czech Republic as yet |
Denmark |
Working towards 31 December 2020 deadline |
Estonia |
No update from Estonia as yet |
Finland |
No update from Finland as yet |
France |
|
Germany |
According to Mastercard, Germany’s Federal Financial Supervisory Authority (BaFin) is considering[2] a progressive ramp up of up to 2.5 months with soft declines:
|
Greece |
No update from Greece as yet |
Hungary |
No update from Hungary as yet |
Ireland |
Central Bank of Ireland will strictly enforce the EBA deadline from 1 January 2020 |
Italy |
No update from Italy as yet |
Latvia |
No update from Latvia as yet |
Lithuania |
No update from Lithuania as yet |
Luxembourg |
No update from Luxembourg as yet |
Malta |
No update from Malta as yet |
Netherlands |
The Netherlands also plans to align with the Belgian roadmap from September in recognition of the cross-border nature of ecommerce.
See more information from the Dutch Payments Association here |
Poland |
No update from Poland as yet |
Portugal |
No update from Portugal as yet |
Romania |
No update from Romania as yet |
Slovakia |
No update from Slovakia as yet |
Slovenia |
No update from Slovenia as yet |
Spain |
Bank of Spain is preparing for the 31 December 2020 deadline but has acknowledged that the market is not yet ready[3] |
Sweden |
No update from Sweden as yet |
Though now outside of EEA, the UK intends to follow SCA regulation:
United Kingdom |
The UK’s Financial Conduct Authority (FCA) extended their deadline to 14 September 2021; see more on the FCA website |
[1] Mastercard Academy, Christoph Baert (Senior Managing Counsel, Regulatory Affairs Europe), 12 August 2020
[2] Mastercard Academy, Christoph Baert (Senior Managing Counsel, Regulatory Affairs Europe), 12 August 2020
[3] Mastercard Academy, Christoph Baert (Senior Managing Counsel, Regulatory Affairs Europe), 12 August 2020
June 2020
- Following written submissions to the European Commission, the Commission affirmed that the SCA deadline of December 2020 remains and will not be extended
- All merchants should therefore be prepared for a full introduction of SCA on 1 January 2021
- Executive Vice President of the Commission, Valdis Dombrovskis, responded to the extension request by acknowledging the challenges faced by businesses in adapting IT during this pandemic but said that SCA ‘has been known to the market since November 2017’ and therefore ample time has been provided to prepare
- Crucially, Mr Dombrovskis stated: “the EBA has currently no intention to extend their validity… the Commission would not support any further delay in the full application of Strong Customer Authentication”
- The Financial Conduct Authority (FCA) deadline of September 2021 remains unaffected by this ruling, and this will be applicable for domestic transactions in the UK only; cross border transactions will adhere to EBA guidelines
- J.P. Morgan will continue to support merchants to be SCA-ready by December 2020. It is important to engage with us on this implementation to ensure compliance and prevent declines after this deadline
- We remain in close contact with regulators and card schemes and will continue to update you as we receive further information
May 2020
- Following questions at a European Commission Roundtable on Wednesday 27 May, the Commission affirmed that the SCA deadline of December 2020 remains and they are not in favour of an extension
- The EC deems SCA to be an important pillar of PDS2 and an essential rule within it, highlighting the increase in online payments during this pandemic and the increased need for combatting fraud as a result
- In answering a question at the session, the European Commission attendees stated that there is no appetite in the EBA or EC for proceed with a further postponement
- The EC also added that an extension of 15 months had already been granted, providing “more time to equip (merchants) and raise awareness and become SCA compatible”
- While not a formal statement, this is a very good indication of a ruling at the next EBA meeting in June and merchants should therefore continue to prepare for the December deadline
- The Financial Conduct Authority (FCA) deadline of September 2021 remains unaffected by this ruling, and this will be applicable for domestic transactions in the UK only; cross border transactions will adhere to EBA guidelines
- J.P. Morgan will continue to support merchants to be SCA-ready by December 2020. It is important to engage with us on this implementation to ensure compliance and prevent declines after this deadline
- We remain in close contact with regulators and card schemes and will continue to update you as we receive further information
September 2019
[Updated 12 September 2019]
- Regulators across key EU markets have announced extensions to the implementation date for Strong Customer Authentication (SCA). (See below for country-by-country overview of announcements)
- As a result, no enforcement action will be taken in these jurisdictions against firms that fail to meet SCA requirements by 14 September 2019. In the UK, the regulator has announced an 18 month extension, while in France the extension ranges from 15 months to June 2022 for complex cases. Other regulators have announced their intention to work with the EBA to agree a harmonised approach across the EU
- The recent regulatory announcements are in response to the EBA opinion of 21 June 2019, which stated that national regulators could provide additional time to issuers and acquirers for the implementation of SCA.
- The EBA is seeking detailed implementation and communication plans from issuers and acquirers on their readiness for SCA across Europe
Country-by-country announcements by national regulators:
Country |
Announcement |
AUSTRIA |
On 19 August, the Austrian regulator announced that they would extend the deadline for implementing SCA until a joint new European deadline for implementation is agreed, most likely towards the end of September 2019. |
BELGIUM |
On 27 August, the Belgian regulator acknowledged the challenges for all e-commerce stakeholders in meeting the SCA deadline. They highlighted the need for all stakeholders to agree a plan to migrate to SCA as soon as reasonably possible after 14 September. Once this plan has been agreed, they will publish it on their website. |
CYPRUS |
On 2 September, the Cypriot regulator announced a limited, but undefined migration period for the implementation of SCA. Stakeholders will be informed in due course, following which issuers and acquirers will be expected to submit a detailed migration plan to the CBC. |
DENMARK |
On 4 September, the Danish regulator announced an 18-month extension to the SCA deadline. They expect all participants to be compliant by 14 March 2021 and to ensure they are on track to meet key milestones they will now agree with the market participants. |
FINLAND |
The Finish regulator announced on 5 September that they will not impose any sanctions on regulated entities who do not introduce SCA on 14 September. This will be a temporary measure and the timeframe will be decided in consultation with the EBA and other Member State regulators. |
FRANCE |
Banque de France has confirmed an extension to the transition period; for most online card payments, issuers will be given an additional 15 months beyond the September deadline, with a final deadline of June 2022 for more complex cases. (see p 11 of their report for the migration plan). |
GERMANY |
On 21 August, the German regulator announced a temporary delay to the implementation of SCA rules to give businesses more time to prepare. The duration of the delay will be defined following consultation with the EBA, other EU regulators and market participants. |
GREECE |
On 27 August, the Bank of Greece announced a phased period of implementation for SCA. Further details on time-frame for implementation will be announced in Q4 2019. |
HUNGARY |
The Hungarian regulator announced a 12-month extension to the deadline for e-commerce card transactions. Payment service providers availing of the extension will be required to submit migrations plans to the regulator. |
IRELAND |
On 8 August, the Central Bank of Ireland announced a limited migration period in relation to the application of SCA under PSD2. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU with further announcements to follow. |
ITALY |
On 1 August, the Italian regulator acknowledged the EBA opinion, announcing that they will grant a limited extension to the deadline for implementation of SCA. The timeframe for this extension is yet to be agreed. |
LUXEMBOURG |
On 30 August, the regulator in Luxembourg announced an extension to the deadline for implementation of SCA for e-commerce card transactions. Impacted stakeholders are required to inform the CSSF and submit a detailed migration plan. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU. |
MALTA |
On 14 August the Maltese regulator announced that it will not enforce SCA on September 14, providing there is evidence e-commerce institutions have taken steps to comply with agreed migration plans. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU. |
THE NETHERLANDSs |
On 8 August, the Dutch regulator announced that it will grant limited additional time for merchants and payment service providers to prepare for the introduction of SCA. They will work with the EBA and other banking authorities to agree a harmonised approach across the EU. |
NORWAY |
On 20 August the Norwegian regulator announced that they will grant an extension to parties who notify them by email to post@finanstilsynet.no. The email should contain the subject "extended deadline SKA-ITBET". |
POLAND |
On 19 August, the Polish regulator announced that no action will be taken against payment service providers who do not enforce SCA rules by the 14 September, providing they have submitted an appropriate ‘migration plan’. They will work with the EBA to define the timeline for introduction of SCA. |
ROMANIA |
As noted by the EBA on their website, Romania has not transposed the second Payment Services Directive into national law, so we anticipate BAU in Romania. |
SLOVENIA |
Following this notice of 11 July 2019, no further announcement is expected. |
SPAIN |
On 11 September, the Spanish regulator announced that they will grant an extended migration period, providing stakeholders have agreed migration plans with their national regulators. They have not announced a timeline for the extension. |
SWEDEN |
On 4 September, the Swedish regulator announced that they will not grant any transition period; the rules will start to apply on 14 September. They note that any payment service providers who require additional time to implement SCA for e-commerce card transactions should submit a detailed migration plan to them. This should be in line with the timetable they anticipate the EBA will provide later this year. |
UNITED KINGDOM |
On 13 August, the UK’s FCA announced that they will give the payments and e-commerce industry an additional 18-month plan to implement SCA. |
August 2019
[Updated 28 August 2019 with latest announcements by national regulators]
- Regulators across key EU markets have announced extensions to the implementation date for Strong Customer Authentication (SCA). (See below for country-by-country overview of announcements)
- As a result, no enforcement action will be taken in these jurisdictions against firms that fail to meet SCA requirements by 14 September 2019. In the UK, the regulator has announced an 18 month extension, while in France the extension ranges from 15 months to June 2022 for complex cases. Other regulators have announced their intention to work with the EBA to agree a harmonised approach across the EU.
- These regulatory announcements are in response to the EBA opinion of 21 June 2019, which stated that national regulators could provide additional time to issuers and acquirers for the implementation of SCA.
- The EBA is seeking detailed implementation and communication plans from issuers and acquirers on their readiness for SCA across Europe.
Country-by-country announcements by national regulators:
Country |
Announcement |
AUSTRIA |
On 19 August, the Austrian regulator announced that they would extend the deadline for implementing SCA until a joint new European deadline for implementation is agreed, most likely towards the end of September 2019. |
---|---|
FRANCE |
Banque de France has confirmed an extension to the transition period; for most online card payments, issuers will be given an additional 15 months beyond the September deadline, with a final deadline of June 2022 for more complex cases. (see p 11 of their report for the migration plan). |
GERMANY |
On 21 August, the German regulator announced a temporary delay to the implementation of SCA rules to give businesses more time to prepare. The duration of the delay will be defined following consultation with the EBA, other EU regulators and market participants. |
GREECE |
On 27 August, the Bank of Greece announced a phased period of implementation for SCA. Further details on time-frame for implementation will be announced in Q4 2019. |
IRELAND |
On 8 August, the Central Bank of Ireland announced a limited migration period in relation to the application of SCA under PSD2. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU with further announcements to follow. |
ITALY |
On 1 August, the Italian regulator acknowledged the EBA opinion, announcing that they will grant a limited extension to the deadline for implementation of SCA. The timeframe for this extension is yet to be agreed. |
MALTA |
On 14 August the Maltese regulator announced that it will not enforce SCA on September 14, providing there is evidence e-commerce institutions have taken steps to comply with agreed migration plans. They will work with the EBA and other banking authorities to agree a harmonised approach to migration across the EU. |
THE NETHERLANDS |
On 8 August, the Dutch regulator announced that it will grant limited additional time for merchants and payment service providers to prepare for the introduction of SCA. They will work with the EBA and other banking authorities to agree a harmonised approach across the EU. |
POLAND |
On 19 August, the Polish regulator announced that no action will be taken against payment service providers who do not enforce SCA rules by the 14 September, providing they have submitted an appropriate ‘migration plan’. They will work with the EBA to define the timeline for introduction of SCA |
UNITED KINGDOM |
On 13 August, the UK’s FCA announced that they will give the payments and e-commerce industry an additional 18-month plan to implement SCA. |
June 2019
EBA publishes an Opinion on the elements of strong customer authentication under PSD21
The European Banking Authority (EBA) published today an Opinion on the elements of strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). The Opinion is a response to continued queries from market actors as to which authentication approaches the EBA considers to be compliant with SCA. The Opinion also addresses concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements that apply as of 14 September 2019.
Today's Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant. The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.
The Opinion also responds to the concerns about market preparedness, by clarifying that the EBA is legally not able to postpone an application date that is set out in EU law. The Opinion also explains that sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in 2015, which gave clear indications that existing authentication approaches would need to be phased out, and because PSD2 already granted an additional 18-month period for the industry to implement SCA.
However, the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers (PSPs) and, therefore, not directly subject to PSD2 and the EBA's technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September 2019.
The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time. This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.
This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner.
In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.
Background
The revised Payment Services Directive was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.
SCA is defined in the Directive as an "authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data." The Directive also provides that SCA is to be applied to all electronic payments, unless one of the exemptions applies.
The EBA had been mandated to support the Directive by developing regulatory technical standards (RTS) setting out the details on strong customer authentication and common and secure communication (RTS on SCA and CSC), including its exemptions, and to regulate the access to customer payment account data held in account servicing payment service providers.
The RTS were developed in 2015/16, consulted on during 2016/17, adopted as Commission Delegated Regulation (EU) 2018/389 on 27 November 2017, published in the Official Journal on 13 March 2018, and will legally apply from 14 September 2019. The RTS deliberately refrains from referring to any particular authentication approaches in the industry, in order to ensure that the RTS remains technology neutral and future-proof.
Legal basis
The EBA issued the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.
1 Article reproduced from https://eba.europa.eu/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2 21 June 2019
You're now leaving J.P. Morgan
J.P. Morgan’s website and/or mobile terms, privacy and security policies don’t apply to the site or app you're about to visit. Please review its terms, privacy and security policies to see how they apply to you. J.P. Morgan isn’t responsible for (and doesn’t provide) any products, services or content at this third-party site or app, except for products and services that explicitly carry the J.P. Morgan name.