Global Regulation, Local Solutions Emerging Themes 2020 - Page 80



DIGITAL
EMERGING THEMES 2020
CONCLUSION
WHAT IS SCA?
WHAT IS THE POTENTIAL IMPACT?
In summary, SCA is a process whereby a
payment service provider authenticates
a customer’s identity by using at least two
elements from three specified categories:
The new requirements are different from most of
the existing two-factor authentication methods
– for example, a password and a PIN will not
constitute SCA, because both are “knowledge”
elements. This means that changes may
need to be made to the existing processes.
For example, the major card schemes (Visa,
Mastercard and Amex) are deploying 3D Secure
Version 2 across the EU card payment market.
X
Knowledge – something only the customer
knows (such as a password)
X
Possession – something only the customer
has (for example a token generator)
X
Inherence – something the customer is
(essentially, biometrics such as fingerprints).
Knowing one element must not compromise
the other, and each of the two elements must
come from a different category.
For remote electronic payments, such as
online payments, the transaction must also
be dynamically linked to a specific amount
and a specific payee (for example via a
one-time passcode).
WHEN MUST SCA BE APPLIED?
SCA must be applied when a customer:
X
Accesses their payment account online
X
Initiates an electronic payment, or
X
Carries out any action through a remote
channel that may imply fraud,
in each case, unless an exclusion/exemption
is available.
It is always the payer’s payment service
provider (e.g. a card issuer) that determines
whether to apply SCA or use any exemption.
However, the payee’s payment service provider
(such as a merchant acquirer) can decide on
certain exemptions (subject to the issuer’s
final decision).
Regulated payment service providers are
directly impacted. Non-regulated businesses
(such as merchants) may also need to
implement changes as required by their
payment service providers so that the payment
service providers themselves can comply.
In certain circumstances, merchants can be
liable for SCA failures.
WHAT ARE THE EXCLUSIONS/
EXEMPTIONS?
Payments initiated by a payee such as a
merchant (known as “merchant initiated
transactions” or “MIT”) are excluded. This
includes utilities payments (typically through
direct debit) and certain subscription services.
However, the initial set-up of the MIT mandate
may require SCA.
There are nine exempted situations where
SCA is not required:
(1) Accessing accounts within 90 days (rolling) to
check balances and transactions, provided
that no sensitive payment data (such as a
password) is disclosed
(2) Contactless payments not exceeding
€50 (individually) where either the number
of consecutive transactions does not
exceed five or the cumulative value does
not exceed €150
(3) Payments made at unattended terminals
for transport fares or parking fees
(4) Payments made to trusted beneficiaries
that the customer set up in advance with
their account payment service provider
(5) Recurring payments to the same payee with
the same amount (such as a standing order)
80/
(6) Credit transfers between one’s own
accounts with the same payment
service provider
(7) Remote payments not exceeding €30
(individually), where either the number of
consecutive transactions does not exceed
five or the cumulative value does not
exceed €100
(8) Corporate payments through dedicated
processes (subject to regulatory approval)
THE THREE
ELEMENTS
KNOWLEDGE
POSSESSION
INHERENCE
(9) Remote payments where the payment
service provider’s overall fraud rate is within
specified thresholds.
The timing and other thresholds above are
calculated by reference to the last time SCA
was applied.
Application of SCA is currently
fluid across the EU. In the UK,
online payments should be
“business as usual” for now, but
changes are expected to be
gradually implemented to meet
the new deadline. However, certain
in-store payments may require
immediate changes.
Frictions may arise for cross-border
payments given the inconsistency
between the UK position and the
EBA approach which, although
expected to be followed by other
member states, may be adopted
with local differences.
Full SCA compliance
is expected by
14 March 2021 in
the UK
WHAT IS THE CURRENT STATUS?
Given the potentially significant impact, the
European Banking Authority (“EBA”) opined
in June last year that member states might
have a no-enforcement period for online card
payments. As a result, while the rules formally
applied from 14 September 2019, national
regulators may choose not to enforce them
during a short period. The Financial Conduct
Authority announced in August an 18-month
no-enforcement period; full SCA compliance
is therefore expected by 14 March 2021 in the
UK. Subsequently, the EBA further opined in
October that compliance should be completed
by 31 December 2020 for all member states.
So far, there have been no indications that
the FCA will change the UK position.
KAI ZHANG
Associate Director,
London
/81

Paperturn



Powered by


Full screen Click to read
Paperturn flip book system
Search
Overview
Download as PDF
Print
Shopping cart
Full screen
Exit full screen