UK FCA gives industry additional 6 months to implement strong customer authentication
The new timeline of September 14, 2021 replaces the March 14, 2021 date.
The UK Financial Conduct Authority (FCA) today announced an extension to the deadline for the implementation of strong customer authentication (SCA).
The regulator is giving the industry an additional 6 months to implement SCA for e-commerce. This is set to minimise potential disruption to consumers and merchants. The new timeline of September 14, 2021 replaces the March 14, 2021 date. The extension is granted in light of the exceptional circumstances of the Covid crisis, the FCA explains.
Firms are required to take all necessary steps to comply with the revised detailed phased implementation plan and critical path to avoid the risk of enforcement action.
The FCA expects UK Finance, as coordinator for the industry, to discuss the detailed phased implementation plan and critical path with all stakeholders and agree it with the FCA as soon as possible. In the meantime, firms are advised to continue with the necessary preparatory activities such as robust end-to-end testing.
After September 14, 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action.
Let’s recall that, back in August 2019, the FCA agreed an 18-month plan to implement SCA with the e-commerce industry of card issuers, payments firm and online retailers. The plan reflects the recent opinion of the European Banking Authority (EBA) which stated that more time was needed to implement SCA given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.
The revised Payment Services Directive. which was published in November 2015, entered into force on January 13, 2016 and has applied since January 13, 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.
SCA is defined in the Directive as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.” The Directive also stipulates that SCA is to be applied to all electronic payments, unless one of the exemptions applies.