European Directive 2015/2366 on payment services in the internal market (the “PSD2”)
PSD2 is the revised version of the EU Directive on Payment Services and its goal is to modernise the payment services for the benefit of consumers and businesses through innovative rules. One of the main objectives of the modernisation is the stronger security of electronic payments without negatively impacting the customer experience.
PSD2 has been transposed into Cyprus law through the Payment Services and Access to Payment Systems Law of 2018 (31(I)/2018).
Main components of PSD2:
– Strong security requirements for electronic payments
– Increases competition by allowing non-bank companies to offer innovative services
– Increase of consumer rights in case of unauthorised payments
– Broader geographical reach by including transactions where only one payment service provider is located in the EU, that also includes transactions in non-EU currency
– Prohibition of charging fees that exceed the direct cost which has been borne by the payment service provider for the specific payment instrument
– Improvement of complaints procedure
Strong Customer Authentication (the “SCA”)
The SCA is introduced by PSD2 and it establishes an authentication process that applies when a payer accesses its payment accounts online; initiates an electronic payment transaction; or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. The SCA serves as a validation of the identity of the user and its purpose is to fight online fraud and protect the confidentiality of financial data. EU Commission Delegated Regulation 2018/389, supplementing the PSD2, sets out the regulatory technical standards (the “RTS”) for the SCA that should be implemented by the payment service providers.
Two of the following authentication elements of the SCA should apply for each transaction, which are mutually independent in that the breach of one does not compromise the reliability of the other:
– Knowledge: something only the user knows, such as a password, knowledge-based challenge question, passphrase or memorised swiping path, but does not include -among others- email address, card details and one-time password (“OTP”) received on a device.
– Possession: something only the user possesses, such as the OTP received by a device, card evidenced by a dynamic card security code, app with possession evidenced by device binding, but does not include -among others- card evidenced by card details or installed app without registration.
– Inherence: something the user is, such as a fingerprint or other biometric.
The payment service providers may apply the following exceptions to the SCA:
– When payments are made below Euro 30, on the condition that the total amount of previous payments since the last application of the SCA does not exceed Euro 100; or the number of previous transactions since the last application of the SCA does not exceed five consecutive transactions.
– The payer may create a list of “trusted beneficiaries”. The SCA will be applied upon the creation or amendment of this list and all future transactions with the “trusted beneficiaries” will be exempt, on the condition that the transactions do not infringe the general authentication requirements (fraud related).
– When the payer orders a series of recurring transactions with the same amount and the same payee. SCA will only apply when the recurring transactions are created, amended or initiated.
– When legal persons initiate a payment through a payment process or protocol that is only available to payers who are not consumers, on the condition that the said protocols provide equivalent levels of security to the PSD2.
– If the transaction poses a low level of risk based on the fraud rate for that type of transaction, the exemption threshold value and a real-time risk analysis, as included in the RTS.
If payment service providers apply the above mentioned exceptions, they are obliged to implement a mechanism to record and monitor the data for each type of transaction and share those data -upon request- with the European Banking Authority (the “EBA”) and the Central Bank of Cyprus (the “CBC”), as the competent authorities for the implementation of the SCA in Europe and Cyprus respectively.
The SCA does not apply in the following circumstances:
– When payments are initiated through phone or email.
– When payments are initiated by the payee and not the payer (“Merchant Initiated Transactions”). These transactions are based on (a) a mandate by the payer authorising the payee to initiate the payments and (b) a pre-existing agreement for the provision of products or services (e.g. utility bills, digital services subscriptions, insurance premium payments)
Implementation of the SCA
The effective date for the implementation of the SCA was set for 14 September 2019, but the EBA has set a new deadline for the migration to the SCA in connection with remote card-based payments on 31 December 2020. The extension is a result of EBA’s acknowledgement of the challenges experienced by the industry in implementing the new standards, following responses from various stakeholders. The purpose of the new deadline is to give competent authorities time to coordinate with the relevant payment service providers and monitor the migration plans. Even though the 14 September 2019 remains the legal deadline for the SCA application, -as specified in EBA’s opinion of 16 October 2019 and as also included in CBC’s release of 24 December 2019- action for non-compliance will not be pursued, on the condition that the payment service providers comply with the milestones and requirements set out by the competent authorities, based on the EBA’s opinion. In its release, the CBC specified that they do not intend to take supervisory enforcement actions against licensed institutions, on the condition that they have submitted a migration plan to the CBC.
The implementation of the SCA may prove challenging for credit institutions and other payment service providers, especially considering the expected increase in IT costs and the need to find a balance between, on the one hand, the implementation of the strict rules on identity authentication and payment security and on the other hand, the provision of a seamless user experience to their clients.