EU: Next Steps on Strong Customer Authentication

The European Commission at long last adopted the RTS on Strong Customer Authentication (SCA) under PSD2 on 27 November following some political struggle. As expected the Commission has added a further exemption from SCA which will benefit corporates. This concerns electronic payment transactions performed through dedicated payment processes or protocols. These are typically used by corporates where security is achieved other than by authenticating an individual.

Again, to assuage the concerns of payment initiation and account information firms, the Commission will allow the use of customer user-facing interfaces as a fall-back mechanism for dedicated interfaces offered by ASPS PS, where these are either unavailable or perform inadequately (but screen scraping per se will not be permitted). National regulators, however, will be able to exempt ASPS PS from the fall-back mechanism if certain conditions are met around the operation of dedicated interfaces.

The next step is for the Council of the EU and the European Parliament to consider the text. As the Commission has amended the EBA’s draft, the Council and Parliament have three months to object. If neither of them does so the RTS will be published in the EU’s Official Journal (JO). It will take effect 18 months later – the Commission suggests this is likely to be September 2019. Article 30(3) and (5), however, will apply 12 months after publication in the JO. These provisions require account servicing payment service providers (ASPS PS) to ensure that their interfaces comply with industry communication standards and to make available a testing facility for payment firms. According to the RTS, all communication interfaces will be subject to a 3-month prototype test and a 3-month “live” test in market conditions. This will allow firms to assess the quality of the interfaces.

Although PSD2 applies from 13 January 2018, to the extent that the security measures in Articles 65, 67 and 97 of PSD2 are dependent on the RTS their application will be postponed until the RTS takes effect.

Richard Powell is a professional support lawyer within Baker McKenzie's global financial services group where he is responsible for supporting the group's legal and technical knowledge.