Strong authentication in Spain: additional time to implement the requirements established in the PSD2

Written on 23 Oct 2019

While payment service providers should have implemented strong customer authentication mechanisms to provide their services from 14 September 2019, a large number of market actors within the payments industry were not prepared to comply with SCA requirements by that time. The Bank of Spain has extraordinarily granted an additional limited time period in order to avoid negative effects to users of payment services.

Directive (EU) 2015/2366 of the European Parliament and of the Council, of 25 November 2015, on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (hereinafter, “PSD2” or “second payment service directive”) introduced the concept of strong customer authentication (SCA), whose implementation would strengthen user security and reduce the risk of fraud in electronic transactions. However, the PSD2 does not describe the specific obligations imposed on payment service providers regarding SCA, but rather establishes general obligations to Member States to ensure secure electronic transactions.

Later, the European Commission adopted the Commission Delegated Regulation (EU) 2018/389, of 27 November 2017, supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (“RTS Regulation”, as for Regulatory Technical Standards Regulation) in order to establish the specific measures –towards the Digital Single Market– for the SCA to be applied to e-payments by payment service providers across the EEA. Pursuant to the RTS Regulation, the majority of provisions contained therein should have been enforceable as from 14 September 2019.

The RTS Regulation outlines the specific obligations for payment service providers to verify that electronic transactions are carried out by the legitimate user of the services. These obligations shall also enable payment services to adapt to new emerging threats to the security of electronic payments. The SCA requirements should be observed (unless an exemption is applicable) when the payer: (i) accesses their payment account online; (ii) initiates an electronic payment transaction; (iii) carries out any action through a remote channel which may imply a risk of payment fraud or any other abuse. Despite the utmost necessity for electronic payments to be as secure as possible, an implementation of the SCA requirements in an uncoordinated, premature and non-unified manner may imply a large scale of payment denials, which would entail negative effects on Spanish users of payment services and merchants.

As a consequence, the Bank of Spain published an informative note granting an additional time period for SCA’s complete roll-out, reviewing the envisaged migration plans in accordance with a so-called “conditional flexibility”, seeking to avoid potential negative consequences for electronic commerce derived from early enforcing the requirements of the SCA on the various operators, taking into account that these actors are not currently prepared for the SCA. The Bank of Spain’s positioning is in line with the Opinion of the European Banking Authority (EBA) –the authority supervising the consistency of SCA roll out across the EU– that was published in 21 June 2019. The Opinion authorises national competent authorities to grant additional time for stakeholders to switch to authentication solutions that are compliant with SCA.

In this scenario, in July of 2019 the main banking associations in Spain published one of the most interesting initiatives relating to SCA compliance: the Action Plan for the implementation of strong authentication on card payments (“Implementation Plan”), which analyses the main implications relating to the RTS Regulation application in e-commerce, and describes the steps to be taken in order to fully, but gradually, adopt the elements of the SCA over a reasonable period of time. In this sense, the main objective of the Implementation Plan is to minimise the potential impact of the application of the SCA, without compromising payment security.

The Implementation Plan adjusts the time periods in which the different economic actors need to adapt their respective platforms to the new requirements, without disproportionately harming the experience of payment service users. Pursuant to the Implementation Plan, merchants should have the new security standards applicable to payments implemented within their platforms by November 2020, thus achieving an appropriate balance between the security of electronic payments, accessibility and user friendliness. The Implementation Plan benchmarks the relevant publication of the security specifications of the 3D Secure 2.2 protocol (currently the highest security standard), but during the transitional period the combination of the card number together with the CVV and the card expiry date would be kept as the relevant identification element, while new strong authentication systems are introduced in a phased manner.

On 16 October 2019, EBA published another Opinion in which the 31 December 2020 is established as the deadline to the complete implementation of the strong customer authentication systems by payment service providers. This Opinion has been embraced by the Bank of Spain through a second informative note published two days later, in which it announces that it will adapt its revisions of the suppliers’ migration plans to the new deadline. Under this scenario, should the entities adhering to the aforementioned banking associations adequately comply with the provisions of the Implementation Plan, the majority of payment service providers in Spain would comply with the obligations related to the SCA within the established deadlines.