Payment Service Providers – Are you (really) ready for the new proposed SCA requirements?

According to a recent Government proposal, you as a payment service provider must apply strong customer authentication (“SCA”) when a payer uses a payment method that involves payment deferral, e.g. selects invoice payment as a payment method when purchasing goods or services online. Otherwise, in the worst case, you may be in violation of the proposed requirements, which may result in an intervention from the Swedish FSA (Swedish FSA interventions include, for instance, a warning, penalty fee and/or revocation of permits).

Today, the Payment Services Act (2010:751) requires payment service providers to apply SCA when a payer logs into its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel that may pose a risk of fraudulent activities or other forms of abuse. However, through the Government’s proposal it is clarified that the requirement on SCA extends to situations which, according to the general opinion, has previously not been considered being a payment service.

Who is concerned by the proposed SCA requirements?

A payment service provider – e.g. a bank or a payment institution – under the Payment Services Act will have to apply SCA when a payer uses a payment method that involves payment deferral, e.g. selects invoice payment, if the payment method comprises of the payment service provider issuing an invoice to the payer and transferring funds to the payee (and the payment service provider thus is facing the credit risk).

As of now, the proposal does not appear to cover the relatively common arrangement when payment deferral is granted by the e-retailer himself and the claim for payment is then transferred to be collected by a payment service provider within a factoring arrangement. Such an arrangement falls outside the scope of the proposal and thus means that no SCA requirements apply in the case of payment methods where payment deferral is granted by the e-retailer himself.

What does the SCA requirements oblige you to do?

Today some payment service providers only require the consumer to provide certain personal data (such as name, postal address and social security number) in order to use invoice as a payment method when purchasing goods or services online. Such an offering will not be enough to fulfil the SCA requirements.

SCA refers to an authentication that is based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) which are independent of each other, so that the breach of one does not compromise the reliability of the others, and is designed to protect the credentials from unauthorized access. Such an authentication method is often called multi-factor authentication and examples of identification methods that meet these requirements are the use of e-ID or a bank card reader.

Next steps

The Government has referred the proposal to the Council on Legislation, which had no objection to the proposal. The next step is for the Government to process the proposal further and then submit it as a bill to the parliament for approval.

In its referral to the Council on Legislation, the Government proposed that the changes to the Payment Services Act shall enter into force on 1 January 2023.

To conclude

It is recommended that you in the near future review your existing offering and arrangement to ensure compliance with the proposed SCA requirements. It is also important to keep up to date with the legislative process, in order to be ready if and when the changes to the Payment Services Act enter into force.