Latest European Banking Authority Opinion on SCA – Key Points24th June 2019
The EBA has published its final opinion on SCA, clarifying the authentication elements and its interactions, as well as opening the door for potential extensions to the September 14th deadline.
The Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2 document clarifies that the EBA is legally not able to postpone the deadline, however, it acknowledges that unintended negative consequences could occur as a result of SCA and therefore there may be a need for individual Competent Authorities (CA) to provide ‘limited additional time’ for the industry to prepare.
This flexibility comes with the caveat that PSPs must have a migration plan agreed with the CAs and that it is executed in an expedited manner.
The EBA have also clarified the viability of certain authentication methods for each of the three elements:
- Knowledge – Something the customer knows e.g. PIN, password
- Possession – Something the customer has e.g. debit card, phone
- Inherence – Something the customer is e.g. fingerprint, retina scan
The guidance is as follows:
Table 1: Non-exhaustive List of Possible Inherence Elements
Table 2: Non-exhaustive List of Possible Possession Elements
Table 3: Non-exhaustive list of possible knowledge elements
There are a number of other areas addressed in the EBA’s opinion, and CMSPI is working with merchants to navigate the inherent complexities of the upcoming mandate.