I propose to take Questions Nos. 177, 178, 179 and 181 together.
The revised Payment Services Directive (PSD2) of 2015 introduced strong security requirements for the initiation and processing of electronic payments, which apply to all payment service providers (PSPs). This approach is intended to reduce the risk of fraud for all types of electronic payments (especially online payments) and to protect the confidentiality of the user’s financial data.
PSPs are obliged to apply strong customer authentication (SCA) when a payer initiates an electronic payment transaction. SCA under PSD2 requires the customer to go through two-factor authentication made up of elements from two of three separate categories: knowledge, possession, and inherence. SCA is a combination of something you know (a password or PIN), something you have (a card reader or token generator) and something you are (a fingerprint).
The European Banking Authority (EBA) was tasked with developing standards for strong customer authentication and secure communication. These standards were published on 13 March 2018 and came into effect from 14 September 2019.
In an Opinion published on 16 October 2019 the EBA set the final deadline for full compliance with SCA requirements at 31 December 2020. The EBA felt that this time should be sufficient for issuing and acquiring payment service providers and their merchants to migrate to SCA-compliant approaches and solutions.
Following the outbreak of Covid-19 earlier this year industry bodies from across the EU, including the Banking and Payments Federation of Ireland (BPFI), wrote to the EU Commission and the EBA seeking a further extension to the deadline for compliance with the SCA requirements. They outlined that Covid-19 was clearly having an impact on all sectors of the EU economy and that industry was unlikely to be able to meet the current deadline of 31 December 2020 for SCA migration.
Where a regulated payment service provider (PSP) is in a position to implement the requirements with effect from 1 January 2021, the Central Bank expects them to do so, in a manner that does not cause customer detriment.
Through engagements with regulated PSPs on the progress of their SCA migration plans, the Central Bank is aware of some issues around the full implementation of SCA by 31 December 2020. The Central Bank has communicated to these PSPs that they are required to implement the Requirements as soon as possible in a manner that does not cause customer detriment.
As the deadline for SCA implementation approaches, Department officials will continue to work with the Central Bank and BPFI to minimise payment disruption experienced by consumers and merchants.