On 30 April 2020, the UK’s Financial Conduct Authority (FCA) granted the payments industry an additional 6 months to meet the requirements of Strong Customer Authentication (SCA).
Given the impact of COVID-19, the FCA has granted this additional time for firms to comply with SCA in order to minimise the potential disruption to consumers and merchants.
The new deadline requires firms comply with SCA by 14 September 2021 instead of 14 March 2021.
There are now calls for other regulators to also delay SCA compliance across Europe.
What is Strong Customer Authentication?
SCA is mandated for Payment Service Providers (PSPs) such as banks and providers of payment gateways under the Second Payment Services Directive (PSD 2).
It requires two factor authentication whenever a customer accesses their payment account online, makes an electronic payment or otherwise takes any action through a remote channel where there may be a risk of payment fraud or other abuses.
SCA requires authentication to use at least two of the following three elements:
- Something the customer knows (e.g. password/pin);
- Something the customer has (e.g. phone/hardware token); and
- Something the customer is (e.g. fingerprint/facial recognition).
SCA represents an important tool to combat payments fraud by ensuring additional personalised customer authentication of access to information and payment transactions.
Extension of time for compliance
The SCA requirements as set out in the SCA Regulatory Technical Standards technically came into force in the UK and across the EU on 14 September 2019.
In response to concerns about industry readiness and the potential for a significant negative impact on consumers, in August 2019 the FCA agreed to an 18 month plan to implement SCA.
Until 14 March 2021, the FCA agreed not to take enforcement action against payments firms where those firms could demonstrate they were taking the necessary steps to comply with the agreed industry managed rollout plan.
This period of regulatory forbearance was welcomed as payments firms were still working with merchants to put in place e-commerce solutions that support SCA, such as 3D Secure Version 2 and above.
In contrast to the FCA’s extension, in October 2019 the European Banking Authority (EBA) published an opinion recommending national competent authorities only provide an extension to 31 December 2020. This led to the unsatisfactory position of differing periods of extension to the SCA requirements across Europe.
FCA further extension in light of COVID-19
In light of the exceptional circumstances of the COVID-19 pandemic, on 30 April 2020 the FCA gave industry an additional 6 months to implement SCA for e-commerce transactions. The new timeline of 14 September 2021 replaced the 14 March 2021 date.
In the announcement, the FCA stressed that firms are still required to take all necessary steps to comply with the revised detailed phased implementation plan. Where firms fail to take such necessary steps, the FCA may still take enforcement action against non-SCA compliant payments firms.
In the announcement, the FCA also stated its expectation that UK Finance, as coordinator for the industry and industry plan, discuss updating the implementation plan with the FCA as soon as possible.
Importantly, this further extension to SCA compliance applies only to the e-commerce industry. The SCA requirements for online banking have applied since 14 September 2019 with the first extension to 14 March 2020. For firms that have not yet met SCA requirement for their online banking customers, the FCA states that it will consider on a case-by-case basis “appropriate further measures”.
Calls for further extensions
The FCA’s extension follows the publication a joint letter on SCA delay due to COVID-19 on 24 April 2020.
This letter, published by the European Payment Institutions Federation (EPIF) and signed by Ecommerce Europe, Visa, Mastercard, EuroCommerce and the EPIF amongst others, calls on the EBA to provide at least an additional six months for the market to be fully SCA ready.
The letter notes that the “exceptional circumstances of this disease is putting an additional strain on the limited resources for all parties involved in the payment chain. During the pandemic, companies have had to focus their efforts on business continuity, prioritising business critical activities targeted at maintaining stability and supporting consumers though the crisis.”
The letter goes on to note that “the constraints the current crisis places on the roll out of SCA technology severely limits the time available for participants to test together, which is essential to a safe and controlled implementation. Critically, the time lost during lockdown will not be able to be recovered later in the year due to system freezes pre-peak trading. Avoiding disruption is even more critical this year as this will coincide with the early stages of economic recovery.”
Whether the EBA responds to the call with a further extension to SCA compliance remains to be seen. The EBA itself acknowledged the benefits of ensuring a harmonised and consistent migration to SCA compliance and readiness in its last opinion.