Strong customer authentication is obligatory from 1 January 2021
The extended deadline for implementing Strong Customer Authentication (“SCA”) expires on 31 December 2020. Originally, Hungarian laws prescribed 14 September 2019 as a deadline for the implementation of the new SCA, however, in parallel with the decision of the European Banking Authority, a new deadline has been set to 31 December 2020 by the Hungarian National Bank.
SCA was introduced as a part of the 2015/2366 Directive on payment services in the internal market in order to fight e-commercial frauds among the European Union. SCA is a multi-factor authentication method, as it requires two identification factors. These factors can be knowledge (something only the user knows, e.g. PIN code), possession (something only the user possesses, e.g. mobile phone), or inherence (something the user is, e.g. fingerprint). It is advised by the European Banking Authority to use biometric data for authentication as they are less easily reproduced and they cannot be forgotten.
According to the Directive, SCA is required for accessing payment account online, initiating electronic payment transactions, or in cases where there is a risk of payment fraud or abuse through a remote channel. However, SCA will not be required if the payment in question is under EUR 30 as it is considered a “low-risk transaction”. Nevertheless, if this exemption is used five times in a row or the aggregated amount of the exempted payment exceeds EUR 100, SCA will be needed.