European Commission confirms SCA measures should apply to EU consumers purchasing from UK websites in the event of a no-deal Brexit.

By Christian F. McDermott, Jagveen S. Tyndall, and Amy Smyth

Complex payment processing chains comprise multiple entities operating behind the scenes to support everyday transactions.

The strong customer authentication (SCA) requirements introduced by the revised EU Payment Services Directive (PSD2) aim to reduce fraud and make online payments more secure (as described in previous posts of June and August 2019). SCA requires that a customer provide two forms of identification that meet the following criteria:

  • Knowledge (something the customer alone knows, such as a PIN)
  • Possession (something the customer alone has, such as a phone)
  • Inherence (something unique to the customer, such as a fingerprint)

The obligation to ensure that SCA is performed falls on the EU card issuer.

The European Commission has recently clarified that SCA obligations apply to EU card issuers, regardless of the location of the cardholder and/or the retailer. This applies whether both the issuer and the acquirer are EU-based (“two-leg” transactions), or if only the issuer is EU-based and the acquirer is non-EU based (“one-leg-out” transactions).

EU card issuers could therefore be liable for payments that do not meet the SCA requirements —  even if non-EU acquirers settle those payments. Non-EU acquirers remain outside the scope of PSD2 and may not practically support SCA measures. In these circumstances, the Commission maintains that, if the non-EU acquirer does not support SCA, and the issuer itself cannot impose SCA measures, the issuer must make its own assessment on whether to block the payment or to face exposure to liability if that payment was in fact unauthorised. In the event of a no-deal Brexit, the Commission’s position means that EU consumers may find payments to UK retailer websites blocked if their card issuer is unable to impose SCA measures (and unwilling to accept additional liability for unauthorised payments).

This clarification is particularly timely given the continuing uncertainty in the UK regarding Brexit.

Latham & Watkins will continue to monitor developments in this area.