FCA statement on strong customer authentication and common and secure open standards of communication under PSD2
- Posted by Michael McKee
- On 10 July 18
- CSC, EBA, FCA, Financial Regulation, PSD2, RTS, Strong customer authentication
On 22 June 2018, the FCA published a statement (Statement) on its website, providing its response to the recent publication by the EBA of an opinion (Opinion) and a consultation on draft guidelines (Draft Guidelines) on the implementation of the strong customer authentication (SCA) and common and secure open standards of communication (CSC) regulatory technical standards (RTS) under PSD2.
The RTS were published in the Official Journal in March, giving firms until 14 September 2019 to comply with their requirements. The Statement, the Opinion and the Draft Guidelines aim to provide more certainty and clarity to competent authorities and market participants in advance of implementation.
What are SCA and CSC?
In high level terms, the SCA requirements are designed to increase the level of security associated with electronic payments, requiring verification of a customer’s identity in particular prescribed circumstances, and setting out that this has to be done by reference to at least two of the following criteria: something only the customer knows, something only the customer possesses or something inherent to the user (e.g. fingerprint, voice recognition, iris).
The CSC requirements are designed to regulate the interaction between different payment service providers to facilitate the introduction of two new types of payment services (payment initiation services and account information services). These new service providers can, with the consent of a payment service user, share access to the customer’s payment account, which is provided and maintained by the customer’s account servicing payment service provider (ASPSP).
One feature of the CSC requirements is the obligation for ASPSPs to provide for a secure communication channel to third party payment service providers (TPPs) to access the customer’s payment account using secure application programming interfaces (APIs). These communication channels can either be through standardised APIs, or firms can adopt a more bespoke version. This bespoke version has still to meet the requirements in the RTS, including providing a contingency access mechanism (known as a ‘fall back mechanism’) where the interface is down. This fall back mechanism, however, does not have to be provided if the relevant competent authority is satisfied that four prescribed tests are met, as set out in Article 33(6) of the RTS. In the UK, this competent authority is the FCA.
What do the Opinion and Draft Guidelines say?
The Opinion, which is addressed to competent authorities, seeks to clarify a number of issues identified by market participants and competent authorities on the implementation of the RTS, including in relation to exemptions to SCA, consent, data sharing and the requirements for APIs and dedicated interfaces.
The Draft Guidelines provide more information about how the four tests should be applied under Article 33(6) of the RTS, with the aim of bringing regulatory and supervisory convergence in this area. The focus of the Draft Guidelines includes providing clarity in respect of service levels, availability and performance of the interfaces to the satisfaction of the payment services providers, the wide usage of the interface, the resolution of issues and consultation by competent authorities with the EBA.
How have the FCA responded?
In the Statement, the FCA indicated its support for the Draft Guidelines, noting that if the final version of the guidelines was unchanged from the Draft Guidelines, then the FCA expected to comply with them, subject to their own consultation obligations.
The FCA stated that they will consult on the proposed process and level of information required from firms to make an exemption assessment under Article 33(6) of the RTS. In respect of timing, the FCA stated that they expect such assessments to be carried out from early 2019, and will aim to respond to exemption requests promptly.
The FCA also provided some information to ASPSPs in advance of the FCA’s consultation:
- The FCA reiterated its preference that market participants adopt standardised APIs, such as those developed by the Open Banking Implementation Entity
- In addition to the ASPSP’s obligations under the RTS to make available technical specifications and provide a testing and support facility by 14 March 2019, the FCA encouraged those seeking to rely on an exemption to make such specifications available beforehand.
- The FCA encouraged timeliness in respect of requests for exemptions to allow for a full assessment to be made. The FCA noted it was not empowered to grant partial exemptions.
The FCA also gave guidance for ASPSPs when designing their interfaces:
- Some ASPSPs will only be able to demonstrate that their interface is “available to be widely used”, as opposed to demonstrating it is “widely in use”.
- The use of redirection by an ASPSP is not automatically an obstacle
- There is no requirement to provide more than one method of access
- ASPSPs must avoid imposing unnecessary requirements (such as additional consent checks)
- The FCA cannot exempt ASPSPs whose implementation created obstacles to the provision of third party access, for example where the interface created delays and friction in the customer journey.
The consultation on the Draft Guidelines runs until 13 August 2018, with the final version to be published soon thereafter. The FCA has stated that it plans to consult on relevant changes to its rules and guidance to reflect the RTS, the Opinion and the Draft Guidelines during the coming summer.
With the implementation date for SCA and CSC applicable from 14 September 2019, and with technical specifications needing to be available six months before this, the industry will no doubt be looking forward to reviewing the contents of the FCA’s proposals as soon as they become available.