Written by Aris Bogias – Legal Officer

As part of the second EU Payment Services Directive, new rules apply – from September 2019 – that affect the way banks or other payment services providers check that the person requesting access to their account or trying to make a payment is the person permitted to make a payment and validate specific payment instructions.

The new rules ensure that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments and to reduce fraud. The SCA requirement came into force on 14 September 2019, however with the approval of the European Banking Authority, several EU/EEA countries have announced that their implementation will be temporarily delayed or phased, given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.

The Central Bank of Malta has announced that the application of the provisions of the Commission Delegated Regulation (EU) 2018/389 (RTS on SCA and CSC) for regulated institutions on e-commerce transactions made with payment cards only has been delayed. As per the Bank, the delay will run until 31 December 2020 and the provisions will then come into force.

Strong Customer Authentication (SCA) is defined in the Directive as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”

In the exceptional circumstances of the Covid-19 pandemic crisis, Financial Conduct Authority (FCA) has given the industry an additional 6 months to implement strong customer authentication (SCA) for e-commerce. The initial deadline for implementation was on 14 March 2021, while the new due date has been set for 14 September 2021.

FCA advised firms to continue with the necessary preparatory activities such as robust end-to-end testing, making clear that after 14 September 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action. According to FCA, firms should also continue to maintain low fraud rates and use their current systems and controls to get as close to compliance as possible.

FCA also made clear that will be very unlikely to take enforcement action if a firm does not apply strong customer authentication when the cumulative amount of transaction values has exceeded EUR 150 or five contactless transactions in a row.  But this facilitation will come only as long as the firm sufficiently mitigates the risk of unauthorised transactions and fraud, by having the necessary fraud monitoring tools and systems in place and taking swift action where appropriate, according to an FCA announcement.