FCA aims to give firms extra time to implement Strong Customer Authentication
The UK regulator has been working with the industry on a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after the September 14, 2019 deadline.
The UK Financial Conduct Authority (FCA) has earlier today published its response to the European Banking Authority’s Opinion on Strong Customer Authentication (SCA) under the revised Payment Services Directive (PSD2). The Opinion is the EBA’s response to key industry questions about which authentication factors comply with the requirements for SCA.
The Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers (PSPs) and, therefore, not directly subject to PSD2 and the EBA’s technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by September 14, 2019.
The EBA, therefore, accepts that, in order to avoid unintended negative consequences for some payment service users after September 14, 2019, national competent authorities (NCAs) may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time. This is to allow issuers to migrate to authentication approaches that are compliant with SCA, and acquirers to migrate their merchants to solutions that support SCA.
The FCA today noted that EBA’s Opinion allows the UK regulator to give some firms extra time to implement SCA.
The legal deadline for complying with the Regulatory Technical Standards on Strong Customer Authentication remains September 14, 2019. However, the FCA recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this.
The regulator aims to agree a plan with stakeholders across the industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way.
Once the plan is agreed, the FCA expects all participants to meet the agreed milestones, targets and final delivery date.
The FCA says it will not take enforcement action against firms if they do not meet the relevant requirements for SCA from September 14, 2019 in areas covered by the agreed migration plan, where there is evidence that they have taken the necessary steps to comply with the plan.
Let’s recall that the revised Payment Services Directive was published in November 2015, entered into force on January 13, 2016 and applies since January 13, 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.
SCA is defined in the Directive as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.” The Directive also stipulates that SCA is to be applied to all electronic payments, unless one of the exemptions applies.