European Banking Authority offers clarifications on PSD2’s strong customer authentication

The European Banking Authority (EBA) has published an opinion on PSD2’s strong customer authentication (SCA), due to continued queries from market actors.

Questions had been raised on what authentication approaches the EBA considers to be compliant with SCA. This opinion will relieve these concerns by listing a ‘non-exhaustive’ list of different approaches and whether the EBA considers them compliant or not.

Within the guidance, the EBA breaks it down to the three SCA elements of knowledge, possession and inherence, and clarifies combinations of these.

Several queries sent to the EBA regarded market preparedness and whether the application date could be postponed.

Unfortunately, the EBA revealed it is not legally able to do this due to the EU law. Additionally, it believes the market has been allowed enough time to prepare for the deadline – having been clearly outlined when PSD2 was published in 2015 and already having had an 18-month extension.

That said, the EBA recognised the complexity of the payments space across the EU. An example given is interactions between actors that are not payment service providers and not subject to PSD2.

Responding to this, the EBA has accepted on an exceptional basis NCAs may decide to work with PSPs and relevant stakeholders, including customers and merchants, to gain additional time. This will allow issuers to migrate to authentication approaches which are compliant with SCA and those described in the opinion, and acquirers to migrate their merchants to solutions supporting SCA.

Deadlines for these migration plans will be disclosed later in the year.

PSD2 defines SCA as “”authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”

As with PSD2, the final deadline for implementation of SCA is 14 September 2019.

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research


The following investor(s) were tagged in this article.