PSD 2 Deadline: Strong Customer AuthenticationSeptember 2019
Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The SCA requirement comes into force from 14 September 2019. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement.
Where and How?
Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
The directive defines strong customer authentication essentially as two-factor authentication in Article 4(30):
an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data
Requirement for Authorisation
You will require authorisation/registration for PSD2 if you provide one of the payment services listed in the schedule to the Payment Services Regulations 2018, unless you are either excluded from the scope of PSD2 or are one of the institutions referred to in Article 1(1) of PSD2. An authorisation/registration under PSD2 is valid in all Member States and allows the payment institution concerned to provide the payment services covered by the authorisation throughout the Union, pursuant to the freedom to provide services or the freedom of establishment.
In advance of submitting an application for authorisation/registration under PSD2, a firm should satisfy itself that its proposed business model requires authorisation/registration.
If you are unsure as to whether your proposed activities require authorisation/registration or if you are unsure as to how you should comply with the authorisation/registration requirements, RegSol can assist.
By Judy de Castro - Regulatory Consultant