The European Banking Authority (EBA) has determined that banks/payment service providers (PSPs) must adopt strong customer authentication for e-commerce card-based payment transactions by 31 December 2020.

The date was announced yesterday by the EBA in its Opinion of the European Banking Authority on the deadline for the migration to SCA for e-commerce card-based payment transactions (EBA-Op-2019-11).

In this Opinion, the EBA also sets out a series of actions that banks/PSPs must carry out so that they can benefit from this period of flexibility.

The EBA clarifies that, albeit the strong customer authentication requirements apply as of 14 September 2019, national competent authorities (NCAs) – in the case of Portugal, Banco de Portugal – may make use of this supervisory flexibility regarding e-commerce card-based payment transactions up to the end of 2020. The EBA considers that NCAs may focus on the interaction with the market and the monitoring of the migration plans of banks/PSPs, instead of pursuing immediate enforcement actions against banks/PSPs that are not compliant with the requirements laid down in the Payment Services Directive (PSD2) and the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017.

The EBA recommends NCAs to adopt 31 December 2020 as a consistent deadline throughout the European Union and to require banks/PSPs to carry out the actions detailed in its Opinion.

The EBA also notes that, in any case, consumers will be protected against fraud, given that in those cases where strong customer authentication is not applied, the bank/PSP is still liable for unauthorised payment transactions.

Whilst acknowledging that Portuguese banks/PSPs, merchants and consumers need additional time to fully apply the strong customer authentication requirements in e-commerce card-based payment transactions and that a consistent approach should be taken throughout the European Union, Banco de Portugal will make use of the flexibility granted in the EBA’s Opinion. As such, the deadline for banks/PSPs  to fully apply the strong customer authentication requirements in e-commerce card-based payment transactions is 31 December 2020. For that purpose, Banco de Portugal will require information from banks/PSPs on their migration plans, and will monitor the execution of these plans.

On strong customer authentication

Strong customer authentication requirements apply as of 14 September 2019 in the European Union.

As of that date, banks and other PSPs must apply strong customer authentication to their customers each time they access their payment account online, initiate an electronic payment transaction or carry out any action which may imply a risk of payment fraud or other abuse.

In these cases, banks/PSPs demand, as a rule, that two authentication elements be  used: for instance, in addition to the typical password, a code is sent by text message (SMS) to the user’s mobile/smartphone.

Whilst acknowledging that, in the case of e-commerce card-based payment transactions, a number of users could be negatively affected by the application of strong customer authentication requirements, the EBA has accepted that, on an exceptional basis, NCAs may  decide to work with the market in the adoption of new rules for an additional period of time.

This possibility was provided for by the EBA in its Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06), published in June 2019, which was supplemented by the Opinion released yesterday.