On 29 November 2021, the FCA published Policy Statement 21/19 ‘Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual’ (PS21/19).
Earlier this year the FCA issued Consultation Paper 21/3 ‘Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual’ (CP21/3). In CP21/3 the FCA consulted on regulatory technical standards on strong customer authentication and secure communication (SCA-RTS) and changes to ‘Payment Services and Electronic Money – Our Approach’ (AD) and the Perimeter Guidance Manual (PERG). In PS21/19 the FCA sets out its response to the feedback it received to CP21/3 and sets out final rules and guidance.
In terms of the SCA-RTS the changes include:
- Creating a new SCA exemption in Article 10A. This would mean customers don’t need to reauthenticate with their account servicing payment service provider (ASPSP) every 90 days when accessing their account information through a third-party provider (TPP).
- Requiring certain ASPSPs to provide dedicated interfaces to enable TPP access to customer account information for retail and SME payment accounts.
- Amending requirements on providing interface technical specifications, testing interfaces and fallback interfaces by ASPSPs intended to let ASPSPs innovate and launch products and services more quickly.
- Allowing ASPSPs with a deemed authorisation under the Temporary Permissions Regime (TPR) to rely in the UK on an exemption from setting up a fallback interface granted by a home state competent authority located in the EU.
The FCA has also updated the guidance in the AD on SCA to clarify its expectations of firms following questions from industry and several recent European Banking Authority and European Commission Q&A responses and opinions. The FCA has also made changes to AD guidance on prudential risk management and safeguarding customer funds to ensure firms are well run and that consumers are appropriately protected if a firm fails. The FCA has also made certain other general updates to the AD including changes to regulatory reporting requirements and amendments to reflect previous policy changes.
ASPSPs offering personal payment accounts in the scope of the Payment Account Regulations 2015, equivalent payment accounts held by SMEs and credit card accounts operated for consumers or SMEs will need to have a dedicated interface in place no later than 18 months after the rules come into force. The FCA strongly encourages ASPSPs to apply the new exemption from the obligation to carry out SCA as soon as practicable after it has come into effect. TPPs will need to reconfirm customer consent under Article 36(6) of the SCA-RTS no later than 4 months after the rules come into force.