Brexit – will Strong Customer Authentication be left stranded?

Brexit plans run the risk that PSD2 will be implemented in UK law without the RTS on Strong Customer Authentication.

PSD2 takes effect under UK law on 13 January 2018, well before the UK formally leaves the European Union in March 2019. However, the RTS on Strong Customer Authentication will only apply 18 months after its adoption and publication in the Official Journal which is currently expected to take place this autumn. This 18-month period is now likely to end after the UK has left the EU in March 2019, under the current timetable.

The European Union (Withdrawal) Bill will convert European Union laws into UK law to carry across existing EU laws and regulations. However, the Bill provides that only laws and regulations that have both entered into force and apply before Exit Day will be converted into UK domestic law. If so, this would mean that the RTS on Strong Customer Authentication would not be converted into UK domestic law as under the current timetable the RTS would not apply by Exit Day.

The Government will need to address this issue as the Bill progresses through Parliament. However, this illustrates the legal complexities that will arise as we approach Exit Day.

Richard Powell is a professional support lawyer within Baker McKenzie's global financial services group where he is responsible for supporting the group's legal and technical knowledge.