The requirement of Strong Customer Authentication (SCA) for payment service providers was scheduled for 14 September 2019. Germany’s Federal Financial Supervisory Authority (BaFin), however, just announced it will not insist on SCA-rules to be followed immediately to avoid disruption for payments online.
As a temporary measure, payment service providers domiciled in Germany will still be allowed to execute credit card payments online without strong customer authentication after 14 September 2019. The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) will not object to such transactions for the time being. This is intended to prevent disruptions to onlinepayment processes and to facilitate the smooth transition to the new requirements of the Second Directive on Payment Services (PSD 2).
Strong customer authentication will be a requirement for online payments from 14 September 2019. This is intended to make internet shopping more secure. For credit card payments, it will no longer be sufficient to enter the credit card number and card verification value (CVV). Customers will have to complete additional steps, such as providing a transaction number (TAN) sent to their mobile telephone in addition to entering a password.
In BaFin’s estimation, card issuing payment service providers in Germany are prepared for the new requirements. The situation is different, however, for companies that make use of online credit card payments as recipients. In this area, substantial adjustments are still needed to meet the new requirements.
To allow consumers and companies to continue using credit cards for online payments, BaFin will temporarily refrain from applying the requirements for strong customer authentication for online credit card payments. This possibility was granted to the national supervisory authorities by the European Banking Authority (EBA). The security level currently in place for internet payments will remain. Provisions under civil law with regard to liability between, for example, the credit card holder and the payment service provider are unaffected by this measure, meaning it will bring no disadvantages for consumers and other online payers.
The simplifications are temporary. BaFin will determine when they expire following consultation with market participants and in coordination with the EBA and the European national supervisory authorities.
In the meantime, BaFin expects that all those affected adjust their infrastructures as soon as possible so that they are able to facilitate strong customer authentication where this is required by law. Concrete migration plans should be developed for this purpose. The simplifications only apply to credit card payments online.
The duration through which this practice will be upheld will be specified after a consultation with EBA, other supervisory authorities as well as market participants. However, BaFin firmly reminds all participants that it expects a timely implementation of SCA-rules and precise migration plans.
On the same note, the Austrian Financial Markets Authority (Finanzmarktaufsichtsbehörde – FMA) postpones implementation of SCA performance in Austria until a joint new and European deadline for its implementation is found. This will most probably be the case by end of September.
FMA issued a press release (German) on 19 August 2019 citing similar concerns as BaFin. In its statement FMA specifies that it will expect payment service providers operating in Austria concrete plans regarding the progress of SCA implementation accompanied by a steady flow of information.
Few days ago, BaFin made another announcement regarding PSD2. In a circular to banks, BaFin declares that they are not in a position to grant any exemption from the requirements to provide a fallback for new account interfaces for Third Party Providers (TPP’S) as the bank’s efforts do not yet meet the regulatory requirements.
Regarding the, in Germany, widely used online direct debiting schemes, BaFin does not require SCA performance at all.
„For more than a week now, ScoreRise enrolls daily hundreds of users through an innovative facial recognition interface. Enrollment takes less than a minute and it does not require presence of a human operator or video recording. And, of course, it stays fully GDPR compliant with help from Reff & Associates and Deloitte Romania.”