On 20 August 2019, the FCA published a Dear CEO letter on the requirements for strong customer authentication (SCA) in card-not-present e-commerce transactions. The Dear CEO letter follows the earlier FCA announcement regarding an 18 month plan to implement SCA rules under the revised Payment Services Directive (PSD2) for the e-commerce industry of card issuers, payments firms and online retailers (our blog is here).

In the Dear CEO letter the FCA welcomes the plan that UK Finance has worked on to implement SCA for card-not-present transactions for e-commerce as soon as practicable. A hyperlink to the plan is also included.

The FCA states that it cannot alter the legal deadline for complying with the requirements for SCA, which remains 14 September 2019. However, to support the orderly transition to SCA and avoid a negative impact on consumers and merchants, the regulator will not take enforcement action against firms because they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the plan.

The FCA adds that:

  • its decision not to take enforcement action is limited to the application of SCA to card-not-present e-commerce transactions;
  • this commitment only applies to firms that can demonstrate that they have taken the necessary steps to comply with the UK Finance plan to deliver SCA by 14 March 2021; and
  • 14 March 2021, failure to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action as appropriate.

The FCA also states that its agreement not to take enforcement action is meant to avoid unintended consequences for consumers and merchants. The regulator expects:

  • firms not to act outside the agreed industry delivery plan in ways that cause unnecessary problems for consumers or merchants; and
  • all parties involved in card-not-present transactions, both FCA regulated and unregulated, should continue to work together over the next 18 months to ensure the smooth and timely implementation of SCA by 14 March 2021.

The FCA also expects firms to manage the potential negative impact of SCA on different groups of customers, particularly the vulnerable, less digitally engaged or located in areas with limited digital access. Firms are expected to provide a viable means of authenticating these customers.

In terms of next steps for firms, the FCA states that they should speak to their trade association and UK Finance to get more information on the plan. Firms are also reminded that they need to take appropriate steps to manage their fraud risk and are encouraged to be open and transparent with consumers and merchants to minimise the risk of unexpected disruption to payments.