Notice | 8 August 2019

Regulatory Technical Standards on Strong Customer Authentication (SCA)

The deadline for compliance with the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the PSD2 Directive is 14 September 2019.

However, the Central Bank of Ireland recognises the difficulties with meeting this deadline. We have been engaging with the industry to develop a migration plan to implement SCA for ecommerce transactions, as soon as possible after this date.

In line with the EBA opinion published in June, a limited migration period will be put in place for firms regulated by the Central Bank of Ireland in relation to the application of SCA requirements under the PSD2 Directive. This migration period relates to ecommerce transactions only. As such, there will be no disruption to payments systems from 14 September, when the RTS on SCA of the Directive is due to come into force.

The Central Bank of Ireland will continue to engage with the EBA and other National Competent Authorities in the European Union in relation to this issue, aiming to agree a harmonised approach to the migration time periods across the European Union. The Central Bank of Ireland will continue to communicate on this issue as it develops.

PSD2 Overview

Directive 2015/2366/EU (or PSD2) is an EU Directive that applies to payment services in the EU. It expands the scope of the first EU Payment Services Directive (PSD) which entered into force in 2009.

PSD2 became law in Ireland on 13 January 2018 with the signing by the Minister for Finance of the European Union (Payment Services) Regulations 2018 (Statutory Instrument No.6 of 2018).

PSD established common rules in relation to certain types of electronic payments, such as credit transfers, direct debits, card payments, and mobile and online payments.

PSD2 builds on PSD by making it possible for the EU market in payment services to be opened up to new categories of payment services provider offering a range of new payment services to businesses and consumers.

These new payment services providers are known as:

  • Payment Initiation Service Providers (PISPs)
  • Account Information Service Providers (AISPs).

PSD2 enables PISPs and AISPs to compete with banks and other more traditional payment services providers by offering new, regulated payment products and services such as account information aggregation and payment initiation.

How does PSD2 affect consumers?

PSD2 is intended to be a positive development for all users of payment services, but particularly consumers.

The principal changes brought about by PSD2 from a consumer perspective are as follows:

  • Consumers will have a maximum liability of €50 in cases where an unauthorised transaction has occurred on their account, except in cases where it can be proved that they acted fraudulently or were grossly negligent.
  • The unconditional "eight week refund" rights already afforded to consumers by the SEPA Direct Debit Scheme are now enshrined in EU law by PSD2.
  • Retailers are no longer allowed to engage in the practice of “surcharging” whereby they charge consumers fees for paying by debit or credit cards.
  • A payment services user can now terminate a contract for the provision of payment services free of charge after a period of six months rather than 12 months.
  • The existing national requirement for all payment services providers to put a complaints resolution procedure in place is reinforced by PSD2.
  • Stricter requirements apply in a number of important areas, for example the initiation and the processing of electronic payments (particularly online payments) and protecting consumers' financial data.

See also: