On 19 August 2019, the Polish financial supervisory authority (KNF) issued a note on SCA (available here), which is in line with EBA’s Opinion on SCA of 21 June 2019.
KNF stated that, due to the state of unpreparedness of PSPs (i.e. issuers and acquirers) and merchants with the SCA requirements that come into effect on 14 September 2019, it will conditionally grant PSPs a regulatory holiday with regard to internet payments and contactless payments. This means that if a relevant PSP communicates to KNF its needs for a regulatory holiday period, along with its migration plan, KNF will not apply supervisory measures (e.g. fines) upon that PSP during the regulatory holiday period, provided of course that the PSP implement the migration plan in a timely fashion.
The maximum grace period for SCA implementation will only be communicated by KNF after their on-going consultations with the will end (probably around 14 September 2019).
KNF added that, even in case of PSP benefiting from the grace period, the risk associated with the failure to use SCA, after 13 September 2019, is fully borne by PSP, who are required to use it". We presume this is a reference to Article 74(2) PSD2, as implemented within Polish law, that allocates the liability between the issuer and the PSP of the payee, including acquirer in case of fraud. We understand that KNF seems to be saying that an issuer or PSP of the payee, who benefits from a regulatory holiday will be liable for the fraud on a particular transaction. Query what will happen for transactions where both the issuer and the PSP of the payee benefit from a regulatory holiday?
Other regulators have already announced similar measures – for example:
United Kingdom: FCA agrees plan for a phased implementation of Strong Customer Authentication
The Netherlands: https://www.toezicht.dnb.nl/3/50-237794.jsp# (Dutch)
If you would like to receive our payments alerts directly in your inbox, please click here.
Mar 01 2024