Denmark’s regulator allows 18-month extension for strong customer authentication implementation
The Financial Supervisory Authority has decided to grant additional 18 months for the implementation of the new requirements.
Denmark’s Financial Supervisory Authority (FSA) has earlier today announced it would grant 18 additional months to businesses for the implementation of strong customer authentication (SCA).
The extension only applies to card payments on the Internet. The longer implementation period must ensure that the transition to the new rules does not cause major disruptions to Danish e-commerce.
On September 14, new EU rules on strong customer authentication (two-factor authentication) are set to take effect when electronic payments are initiated. On June 21, 2019, the European Banking Authority (EBA) published an opinion on the interpretation of the rules on strong customer authentication and on the market’s preparation for these requirements. In this connection, EBA found that, especially in e-commerce, there are still problems in complying with the new rules. Against this background, EBA proposes that national regulators may give the businesses additional time to implement the new rules.
Since then, the Danish FSA has had a dialogue with representatives from the participants in the Danish payment market. Against this background, it is the opinion of the Danish FSA that it will not be possible to implement the new rules from September 14 without far-reaching consequences for Danish e-commerce. This is mainly due to the fact that a large number of businesses and so-called payment gateways that provide technical solutions to the e-shops have not been able to implement the new solutions.
The regulator belives that the market may be ready to comply with the new rules on March 14, 2021. Therefore, the Danish FSA will allow card issuers, card acquirers and e-commerce an additional 18 months to ensure compliance with the new rules.
The action taken by Denmark’s FSA is similar to that announced in August this year by the UK Financial Conduct Authority (FCA). On August 13, 2019, the FCA said it agreed an 18-month plan to implement SCA with the e-commerce industry of card issuers, payments firm and online retailers.
SCA is defined as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”