Faced with growing concerns from the industry and clearer evidence on the consequences of implementation of PSD2’s authentication rules, the European Banking Authority published an opinion on the elements of strong customer authentication under PSD2 on 21 June.
The Communication is two-fold. It provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant. The EBA also provides clarification on authentication elements and the new protocol 3DS 2.0, which could have been treated as an inherence factor. The EBA considers for the moment that this is not the case, but that it could evolve as more (inherence) data points get inserted in the future version of 3DS.
In the opinion, the EBA also responds to the concerns about market preparedness, by clarifying that the EBA is legally not able to postpone an application date that is set out in EU law. It, however, acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular, by actors that are not payment service providers (PSPs) such as e-merchants.
The EBA, therefore, accepts to grant some supervisory flexibility to NCAs, that may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time. This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed on the plan with their NCA, and will execute the plan in an expedited manner. The EBA does not set hard deadlines for the migration plans, which could create challenges if the migration plans from one NCA to another varies significantly (which is something we are already witnessing).