Pursuant to PSD2, as implemented by the Danish Payments Act, issuers and acquirers need to ensure that the card issuer performs a Strong Customer Authentication (SCA) of the cardholder when it is initiating a payment, including when it is initiating an e-commerce transaction with its card – unless one of the exemptions contained in the RTS is applicable. The deadline for compliance is 14 September 2019.
On 21 June 2019, the European Banking Authority (EBA) published an Opinion on SCA. Although the EBA reiterated in its Opinion that all Payment Service Providers (PSPs) should comply with the SCA requirements by 14 September 2019, it acknowledged how complex the required changes are in order to comply with the SCA requirements and accepted that, "on an exceptional basis and in order to avoid negative unintended consequences for some payment service users after 14 September 2019", National Competent Authorities (NCAs) may provide "limited additional time" to PSPs in order to migrate to authentication approaches that are compliant with the SCA requirements.
Since the EBA Opinion, a number of EU Member States announced that they were going to grant a "regulatory holiday" to issuers and acquirers for e-commerce transactions, for a certain amount of time. See example our previous client alerts in relation to the Germany, Poland, Italy, and the United Kingdom.
Today the Danish FSA announced (see Danish article) that, based on the Danish FSA's dialogue with relevant stakeholders in Denmark, it find it not possible to implement the SCA requirements on 14 September 2019 without material consequences for Danish e-commerce. The reason being primarily that a large number of merchants and payment gateways, providing technical solutions to online merchants, have not implemented SCA compliant solutions. On that basis, the Danish FSA allows card issuers and acquirers an additional 18 months to become SCA compliant, i.e. until 14 March 2021.
The Danish Financial Supervisory Authority (FSA) will, as soon as possible, invite the relevant stakeholders to a meeting where the implementation plan will be finalised, which will include agreeing on milestones in order to ensure compliance by 14 March 2021. The Danish FSA will, as part as its supervision, follow up on the parties' cooperation and compliance with the milestones.
The Danish FSA emphasises that the implementation plan does not change the fact that the SCA requirements formally become applicable on 14 September 2019, including the liability regime set out in PSD2 (which is something that the Polish FSA, for example, had also highlighted in their announcement).
It is worth noting that, in parallel to the various NCAs announcing "regulatory holidays" for their national PSPs (in particular for issuers and acquirers in relation to e-commerce transactions), the EBA is expected to issue another Opinion in the not-too-distance future that is meant to harmonise the adjustment periods that the various NCAs are granting to their national PSPs. For example, France has so far announced a migration plan until June 2022 ( i.e. longer than the 18 months in the UK and Denmark). Query what will happen to those NCA announcements if the EBA's Opinion will recommend a shorter adjustment period: will the various NCAs reduce the duration of the adjustment periods, or will they leave them unchanged? To be continued…
Should you have any questions concerning the above, please do not hesitate to contact one of the members of the Bird & Bird global payments team.
If you would like to receive our payments alerts directly in your inbox, please click here.