Posted by Michael McKee, Sophie Lessar, Chris Whittaker and Jinu Choi on 10 December 2021
Tagged to FCA, Open Banking, payment services, PSR, SCA

On 29 November 2021, Financial Conduct Authority (FCA) published amendments to the Regulatory Technical Standards on Strong Customer Authentication and Secure Communication (SCA-RTS).

The FCA also amended the guidance in “Payment Services and Electronic Money – our Approach” (Approach Document, now dated November 2021).

Background

The FCA recognised that the payments landscape and the open banking initiative has evolved since the Payment Services Regulations 2017 came into force.

In order to further prioritise making payments safe and accessible, as outlined in their 2021/22 Business Plan, the FCA commenced a consultation on open finance via a call for input.  

Need for Change

Through this consultation, the FCA found two main barriers to the development and uptake of open banking:

  • The requirement for customers to reauthenticate with their account servicing payment service provider (ASPSP, typically banks) every 90 days to continue accessing account information through a third-party provider (TPP).
  • Use of existing customer interfaces that are not specifically designed for TPPs to access customer account information.

The amendments to the SCA-RTS will help remove these barriers.

What will be changed

The changes to the SCA-RTS include the following:

  • Creating a new SCA exemption in Article 10A so that customers don’t need to reauthenticate with their ASPSP every 90 days when accessing their account information through a TPP.
  • Requiring certain ASPSPs to provide dedicated interfaces to enable TPP access to customer account information for retail and SME payment accounts.
  • Amending requirements on providing interface technical specifications, testing interfaces and fallback interfaces by ASPSPs.
  • Allowing ASPSPs with a deemed authorisation under the Temporary Permissions Regime to rely on an exemption from setting up a fallback interface granted by a competent authority in the EU.

The FCA has strongly encouraged ASPSPs to apply the new exemption from the obligation to carry out strong customer authentication as soon as practicable after it has come into effect. TPPs will need to reconfirm customer consent under Article 36(6) of the SCA-RTS no later than 4 months after the rules come into force.

The FCA is also updating the Approach Document to clarify the FCA’s expectations of firms and ensure that the guidance on prudential risk management and safeguarding customer funds will enhance the resilience of firms.

The authors

Michael McKee
Michael McKee
Sophie Lessar
Sophie Lessar
Chris Whittaker
Chris Whittaker
Jinu Choi
Jinu Choi

Add to home screen

To add this site to your home screen open the browser option menu and tap on Add to home screen.

To add this site to your home screen tap arrow and then plus