On October 16, 2019, the European Banking Authority ("EBA") published an opinion ("the Opinion") on the deadline and process for completing the migration to strong customer authentication ("SCA") for e-commerce card-based payment transactions under the revised Payment Services Directive ("PSD2"). 

  • In a previous opinion on the elements of SCA under PSD2, published in June 2019, the EBA accepted that, "on an exceptional basis", National Competent Authorities ("NCAs", which are the national regulators of each EU country) may grant, under certain conditions, "limited additional time" for the migration to SCA after September 14, 2019, which was the deadline to implement SCA. According to a survey conducted by the EBA, the vast majority of stakeholders in the payments sector across the EU prefer a "single common deadline". In the new Opinion of October 16, 2019, the EBA sets December 31, 2020 as the "common deadline" for the complete migration to SCA for e-commerce card-based payment transactions; nevertheless, the legal obligations remain applicable as of September 14, 2019.
  • The EBA recommends that the NCAs communicate to payment service providers ("PSPs") that the "supervisory flexibility" does not mean "a delay in the application date of the SCA requirements in PSD2 and the EBA's Technical Standards". The EBA also recommends that during this transition period, the NCAs "focus on monitoring migration plans instead of pursuing immediate enforcement actions against non-compliant PSPs", although issuing and acquiring PSPs are still liable for loss caused by unauthorized payment transactions under Article 74 of PSD2.
  • The Opinion further provides timetables with the actions to be taken by issuing and acquiring PSPs during the migration period. The timetables through December 31, 2020, also contain interim milestones applicable to PSPs in order to ensure a consistent and synchronized migration to SCA compliance. As a reminder, the deadline of December 31, 2019 applies to PSPs' obligation to make available for the relevant NCAs their authentication approaches (distinguishing the SCA-compliant from non-compliant ones) as well as to inform the relevant NCAs about their plans containing "clear migration targets".

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.