The requirement of Strong Customer Authentication (SCA) for payment service providers was scheduled for 14 September 2019. Germany’s Federal Financial Supervisory Authority (BaFin), however, just announced it will not insist on SCA-rules to be followed immediately to avoid disruption for payments online.
On 21 August 2019, BaFin issued a press release (German) specifying that credit card payments may be concluded without performing SCA (also called two factor authentication) after the implementation deadline formally expired. The performance of SCA with every payment is required as part of a set of new rules originating form the second European Payments Services Directive (PSD2) taking full effect on 14 September 2019. The idea is to make payments online more secure.
According to the press release, BaFin considers credit card issuers in Germany to be sufficiently prepared to perform SCA, however that would be not true for companies accepting credit card-based payments online. For companies and consumers to continue using credit cards online, BaFin, for now, exempts the full implementation of SCA-rules come the September deadline. This exemption is based on an opinion by the European Banking Authority (EBA) which offered this exact choice to national supervisory authorities. The existing level of security for online credit card payments and possible civil law claims remain untouched. BaFin expects no disadvantage to anyone as a result of this relief.
The duration through which this practice will be upheld will be specified after a consultation with EBA, other supervisory authorities as well as market participants. However, BaFin firmly reminds all participants that it expects a timely implementation of SCA-rules and precise migration plans.
On the same note, the Austrian Financial Markets Authority (Finanzmarktaufsichtsbehörde – FMA) postpones implementation of SCA performance in Austria until a joint new and European deadline for its implementation is found. This will most probably be the case by end of September. FMA issued a press release (German) on 19 August 2019 citing similar concerns as BaFin. In its statement FMA specifies that it will expect payment service providers operating in Austria concrete plans regarding the progress of SCA implementation accompanied by a steady flow of information.
Only days ago, BaFin made another announcement regarding PSD2. In a circular to banks, BaFin declares that they are not in a position to grant any exemption from the requirements to provide a fallback for new account interfaces for Third Party Providers (TPP’S) as the bank’s efforts do not yet meet the regulatory requirements.
Regarding the, in Germany, widely used online direct debiting schemes, BaFin does not require SCA performance at all.
If you would like to receive our payments alerts directly in your inbox, please click here.
The authors thank Sascha Lucas for his support.