Payment Services Regulations Briefing

We have previously published a briefing on the Payment Services Regulations 2017, which are the regulations by which the UK has implemented the EU’s revised Payment Services Directive 2015/2366 commonly known as “PSD2”, and an update on the requirement for ‘strong customer authentication’ (‘SCA’), the aspect of PSD2 most relevant to traders, which was due to come into effect on 14th September 2019.

‘Strong customer authentication’ is the umbrella term for a set of PSD2 requirements intended to improve the security of electronic payments for traders and customers by requiring a trader to supply the payment services provider (‘PSP’) with two independent authentication factors provided by the customer to generate an authentication code in order for the customer’s payment to be approved. SCA applies to ‘customer-initiated’ electronic payments so that most card payments and all bank transfers require SCA, meaning that it affects a number of other parties than PSPs, such as online retailers.

A number of groups complained to the European Banking Authority (“EBA”) that they were not properly prepared for SCA taking effect on 14th September 2019, and since that date the EBA and several national authorities across the EU have announced delays in the implementation date.

Whilst the EBA first announced that that it could not legally delay the 14th September 2019 implementation date, in October 2019 it announced that PSPs have until 31st December 2020 to implement SCA for e-commerce transactions.

The UK’s competent authority, the Financial Conduct Authority (FCA), announced on 13th August 2019 that it has agreed an 18 months plan to implement SCA with the e-commerce industry of card issuers, payments firms and online retailers in the UK and that on this basis it would not take enforcement action against PSPs prior to 14th March 2021.

The position in other EU countries varies.

• The Irish Central Bank has confirmed that it will engage with industry to monitor delivery against agreed milestones and the EBA’s 31st December 2020 deadline.
• The German regulator BaFin announced on 21st August 2019 that, as a temporary measure, PSPs domiciled in Germany will still be allowed to execute credit card payments online without SCA after 14th September 2019, but it has not yet published a timescale for the implementation of SCA.
• The French regulator Banque de France has announced that in principle SCA compliance is to be achieved by 31st December 2020, but that an extra 3-month grace period will be available on a case-by-case basis.
• The Bank of Italy has indicated that 31st December 2020 will be the final deadline for PSPs to implement SCA in relation to online card payment transactions.

On 25th October 2019, the FCA also announced that in the event of a ‘No-deal Brexit’ the UK’s SCA regulatory technical standards (‘UK-RTS’) will be substantially the same as the EU’s SCA regulatory technical standards (‘SCA-RTS’), and PSPs should treat any FCA correspondence regarding an SCA-RTS adjustment period as applying equally to the UK-RTS. Whilst the UK left the EU on 31st January 2020, the UK will continue to be subject to EU rules and will remain a member of the single market and customs union until 31st December 2020.

We continue to advise that, whilst the implementation date for SCA has been delayed, traders should take steps to prepare for implementation including:

• Understand what authentication factors their PSPs will support.
• Understand what exemptions their PSPs will support.
• Consider alternative solutions on the market if their own PSP’s SCA support seems limited.
• Design, or redesign, online processes, such as registration and check-out flows, to include the relevant data fields to achieve SCA (e.g. through 3-D Secure 2.0), or to achieve an exemption, as appropriate (e.g. collecting mobile phone numbers to which codes can be sent).
• Notify customers of their SCA readiness.
• Test new payment processes to monitor and reduce the rate of ‘abandoned shopping carts’.
• Review and revise Privacy Policies and similar GDPR materials as appropriate to address the processing of personal data for SCA and other PSD2-related purposes.