Germany’s Federal Financial Supervisory Authority (BaFin) and other national competent authorities (NCAs) across Europe are looking to offer windows of flexibility to a payments industry struggling to meet the looming September deadline for strong customer authentication (SCA) under the second Payments Services Directive (PSD2).
According to a document seen by bobsguide, BaFin believes many companies in Germany have not sufficiently prepared for the new requirements of SCA.
Written by Raimund Röseler, chief executive director of banking supervision at BaFin, the note states: “It is feared that on September 14 these companies will not be able to use credit card payments. The European Banking Authority (EBA) has granted national supervisory authorities some flexibility … BaFin is prepared to use this to avoid detrimental experience for the payer.”
A BaFin spokesperson declined to comment further.
The EBA published an opinion paper in June, a response to what the regulator called “continued queries from market actors as to which authentication approaches the EBA considers to be compliant under SCA” and “concerns about the preparedness and compliance of some in the payments chain”.
The opinion paper offers discretionary extensions to the September 14 deadline for SCA. It admits that on an exceptional basis and to avoid unintended negative consequences for payment service users after September 14, NCAs can work with payment service providers (PSPs) to provide additional time for compliance.
Across the European Union and the European Economic Area (EEA), regulators have been consulting with market participants.
“The European market is insufficiently prepared for implementation of the new requirements,” said a spokesperson for Dutch regulator DNB Netherlands. “The European Commission and the European Banking Authority have therefore decided to allow a limited extension of the implementation period. We will soon explain in more detail how this European decision-making process will affect the Dutch market.
“It should be noted that the Netherlands is already well-prepared, having introduced strong customer authentication in 2005.”
The SCA platform DNB refers to is an ecommerce payment system called iDeal in 2005, based on online banking. It allows customers to buy items over the internet. iDeal holds a 57% share in the Dutch payments market and processed €33bn in payments in 2017.
French regulator Banque de France released an annual report from its Observatory for the Security of Payment Instruments at the start of July. It states that the Observatory has created a multi-step migration plan with the aim to have a clear majority of services SCA compliant by December 2020, with full migration expected to be complete by 2022.
A spokesperson for the Central Bank of Ireland said that the regulator would continue to engage with industry representatives and financial services firms on the matter. “The Central Bank’s priority is to ensure the highest security standards are in place to protect consumers while also ensuring that there is no interruption in online payments systems,” the spokesperson wrote, in an email. “We note the EBA’s commitment to ensuring customers will still be able to continue making online payments.”
The Bank of Greece is another regulator prepared to move in line with the EBA’s flexibility window. “Bank of Greece, in this matter, will be in line with EBA’s Opinion,” said a spokesperson. “The level of flexibility, for achieving consistency across the EU due to the cross-border nature of these transactions, will be the result of a centrally managed EBA fact-finding exercise with the relevant stakeholders.”
The Polish Financial Supervisory Authority and the Bank of Italy, when contacted, indicated that final positions on the EBA’s opinion paper would be announced shortly. A spokesperson for the Finansinspektionen, the Swedish payments regulator, stated that it had not made any statements about SCA flexibility, and that any further information would be published on its website.
Iceland, as a state in the European Free Trade Association (EFTA), only accepts legislation through a specific parliamentary process. “We are very much aware [of the EBA’s opinion paper] because we monitor what the EBA is doing,” says Hjálmar Brynjólfsson, chief legal counsel at the Icelandic Financial Supervisory Authority.
“Because of our uniqueness we don’t actually have a clear application date of PSD2 here in Iceland. We don’t have to comply with the September deadline. We don’t have a clear application date because after the joint decision the Icelandic parliament must fulfil constitutional requirements. This will be done in the Fall and then some months after that we will have a final application date.
“We foresee that we would probably not have an extra year as an extension to the application date in Iceland whenever it comes into force. We will probably smooth things out so that our timeline is as aligned with Europe as possible. Iceland would most likely try to shorten the period so that we would harmonise with EU countries. In doing so, we will continue monitoring any extensions given by other NCAs.”
The UK’s Financial Conduct Authority replied to the EBA opinion paper in June, stating that it would quickly agree a plan with stakeholders across the industry and a timetable with milestones and targets to achieve compliance. It also stated that it would not take enforcement actions against firms covered by the migration plan if they miss the September deadline.
However, during a session of parliamentary questions, UK MP Chuka Umunna said that he was staggered by the lack of action from the country’s Conservative government. “The implementation is forecast to lead to the failure of nearly a third of e-commerce transactions … will the Minister [Kelly Tolhurst, undersecretary of state for business, energy and industrial strategy] ensure that no enforcement action will be taken for at least 18 months, to give our retail sector breathing space to adapt to the new rules?”
Tollhurst referred to the EBA opinion paper, and the FCA’s statement, in her answer. “[Both] are working on mitigations past the September implementation date. They are working with industry and providers to make sure that the essence of the changes prevail.”
An EBA spokesperson stated that the June opinion paper had been made by the EBA’s Board of Supervisors, which comprise the executive directors of the national competent authorities of all 28 EU Member States. “The views expressed by the EBA in the Opinion are those of the 28 national authorities and have been developed with them,” they said, in an email.
“The EBA is currently working [SCA flexibility deadlines] and, in order for us to be in a position to make a well-informed decision and to do so quickly, the EBA and the NCAs will be approaching the industry for input over the next few weeks. Once we have assessed that input, we will communicate the deadlines.”
Chris Kronenthal, chief technology officer of payments platform provider FreedomPay, believes that NCAs applying their own flexibility windows might complicate the matter. “Allowing every country’s competent authority to negotiate individual national deadlines for SCA compliance only adds unnecessary complexity to what was an already challenging situation.
“For SCA to work effectively and for merchants to avoid the anticipated increase in declined transactions, all parties in the payment value chain need to have their systems ready simultaneously.
“There are thousands of companies who need to be certain that their systems inter-operate reliably with others within the eco-system with many of these companies are mutually dependent on the readiness of another in the chain.”
For Kronenthal, the September deadline provided “absolute clarity” as to the effective date by which SCA should be implemented. “It now remains unclear, particularly for international merchants, as to when acquirers, issuers and authenticators will be at a state of readiness in each country across the European Union.”
Nick Caley, vice president of financial services and regulatory at ForgeRock, says that the deadline for SCA is fast approaching. “I do not see enough readiness by any stretch of the imagination. There are banks and firms that are readier than others, but I don’t think that customers are ready by any stretch of the imagination. People outside of the industry seem to be blissfully ignorant to this massive focus.”
Issues around the deadline will be allayed by national regulators and their use of exemptions, says Caley. “What will be interesting is how these exemptions start to come through. I don’t see the EBA providing a whole market licence to extend this, I think it wants to stick by the ‘you have had long enough’ line. If you look at that by any measure you can agree with that statement anyway.
“There is so much at stake here, it really is a significant shift … but banks will go at their own pace. There aren’t that many penalties involved with PSD2, it’s not like GDPR in that you’re fined 4% of global revenues.” Caley adds that SCA compliance may also be a handful for the regulators as well as the market. “If you look at the scope they have in a given country and the number of account providers who have to be compliant, it looks to be a very difficult task.”