UK regulator agrees 18-month plan for implementation of Strong Customer Authentication
The plan gives the payments and e-commerce industry additional time to implement Strong Customer Authentication.
In line with earlier reports, the UK Financial Conduct Authority (FCA) announces today it has agreed a plan that gives the payments and e-commerce industry extra time to implement Strong Customer Authentication (SCA).
From September 14, 2019, new European Union (EU) rules will start to apply that impact the way in which banks or payment services providers verify their customers identity and validate specific payment instructions. The new rules, called Strong Customer Authentication (SCA), aim to enhance the security of payments and limit fraud during this authentication process.
The FCA has today agreed an 18-month plan to implement SCA with the e-commerce industry of card issuers, payments firm and online retailers. The plan reflects the recent opinion of the European Banking Authority (EBA) which stated that more time was needed to implement SCA given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.
Jonathan Davidson, Executive Director for Supervision – Retail and Authorisations, said:
‘The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction’.
Importantly, the FCA said it will not take enforcement action against firms if they do not meet the relevant requirements for SCA from September 14, 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.
The FCA will also continue to monitor the extent to which banks and payment service providers are meeting its expectation that they consider the impact of SCA on different groups of consumers, and provide alternative means of authentication where needed.
Let’s recall that the revised Payment Services Directive was published in November 2015, entered into force on January 13, 2016 and applies since January 13, 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.
SCA is defined in the Directive as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.” The Directive also stipulates that SCA is to be applied to all electronic payments, unless one of the exemptions applies.