Additional time provided to implement Strong Customer Authentication requirements
Seeking to ensure smooth transition of payment service providers and e-merchants to strong customer authentication (SCA) methods and continued ability of consumers to make card-based online payments, the Bank of Lithuania is of the opinion that additional time to complete preparations for the SCA requirements should be provided and the deadlines should be the same across all European Union (EU) countries.
The second Payment Services Directive (PSD2) and the related regulatory technical standards set 14 September 2019 as the deadline for the mandatory adoption by banks and other payment service providers of strong customer authentication methods. This means that when logging into online or mobile banking accounts and making payments, client identity would be confirmed using at least two SCA elements out of three: possession (something only the customer owns, e.g. a smartphone, a code generator), knowledge (something only the customer knows, e.g. a password), inherence (something that characterises only the customer, e.g. a fingerprint).
Given the complexity of the payments market and the transaction execution process, most EU payment service providers executing online card payments and merchants for which they provide services did not manage to prepare for the new requirements on time. To this end, on 21 June 2019 the European Banking Authority (EBA) afforded the national competent authorities the option of providing additional time to allow payment service providers issuing payment cards and payment service providers and companies accepting online card payments to complete the measures and to adopt the new authentication instruments for card-based online payments.
Being aware of the importance of card-based online payments to Lithuanian consumers, which purchase goods and services across the EU, and at the request of companies to which card-based online payments are very important and of participants of the Lithuanian payments market, the Bank of Lithuania has decided to provide an extension to the deadline. This extension should be the same for all EU countries and should be agreed by national competent authorities within the EBA framework. The final deadline is expected to be set by the EBA by the end of the month.
The Lithuanian payment service providers wishing to make use of the extension must:
- submit a detailed migration plan to the Bank of Lithuania;
- endeavour to adjust to SCA in an expedited manner;
- ensure at least the same level of customer protection as is currently applied.
Consumers making card-based online payments are not to be adversely affected due to the inability of market participants to make the required adjustment on time.
During the migration period, card-based online payments carried out without strong customer authentication may continue to be made according to the current payment transaction authorisation procedures.