On 13 August 2019, the FCA announced that it had agreed a plan to give the payments and e-commerce industry extra time to implement Strong Customer Authentication (SCA).
SCA is a requirement placed on Payment Service Providers under the second Payment Services Directive 2015/2366. SCA is intended to enhance the security of payments and limit fraud. It requires two factor authentication in various circumstances, including on the initiation of a payment transaction or checking an account balance online. Authentication of a customer’s identity may be: (1) something only the customer knows; (2) something only the customer possesses; or (3) something inherent to the user (such as fingerprint, voice recognition, iris).
Following concerns raised by the industry around the implementation timeframe, the FCA has agreed an 18-month plan to implement SCA with the e-commerce industry of card issuers, payments firm and online retailers. The plan reflects the recent opinion of the European Banking Authority (EBA) which set out that more time was needed for implementation given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.
Responding to the announcement, Jonathan Davidson, the FCA’s Executive Director for Supervision – Retail and Authorisations, stated that, “The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction.”
Under the plan, the FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. What is sufficient in terms of “evidence” remains an open question. By the end of the 18-month period in March 2021, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.
The FCA will also continue to monitor the extent to which banks and other payment service providers are meeting its expectation that they consider the impact of SCA on different groups of consumers, and provide alternative means of authentication where needed.