On 3 September 2019, the FCA published a webpage on Strong Customer Authentication (SCA) rules under the revised Payment Services Directive (PSD2). The webpage sets out the FCA’s expectations of firms to develop SCA solutions that work for all groups of customers. This means firms may need to provide several different methods of authentication for customers, not relying solely on methods that use mobile phones, for consumers who do not have or are unable to use a mobile phone.
The FCA wants to implement SCA in a way that minimises disruption to consumers. Therefore, it has agreed to exercise supervisory flexibility to give firms extra time to implement the requirements in e-commerce and online banking industries.
As regards E-commerce, the FCA will not take enforcement action against firms simply for not meeting the relevant requirements for SCA from 14 September 2019 (see previous blog post here). The FCA encourages E-commerce firms to speak to trade associations and UK Finance to get more information about the agreed industry plan. The FCA expects E-commerce firms:
- not to act outside the agreed industry delivery plan in ways that cause unnecessary problems for consumers or merchants; and
- for all parties involved in card-not-present transactions to work together over the next 18 months to ensure the implementation of SCA by 14 March 2021.
For the online banking industry, the FCA is concerned that some third-party providers (TPPs) may not be able to continue providing their services after 14 September 2019 as they have not been able to use and migrate their customers to new or modified interfaces, and the implementation of SCA will prevent TPPs from accessing account data without the customer being present. The FCA believes this will cause significant disruption for customers of open banking services provided by such TPPs. To avoid this, the FCA has agreed an adjustment period, in certain circumstances, for firms to have an extension until 14 March 2020 to implement SCA for online banking.
Account servicing payment service providers (ASPSPs) are encouraged to use the additional time to adjust the modified customer interface (MCI) to support ongoing access. TPPs are required to move to application programming interface standards (API) access as soon as possible. During the adjustment period, TPPs should use an electronic identification, authentication and trust services (eIDAS) certificate or an equivalent certificate to identify themselves. Where it is not possible to do so, such as when accessing accounts via existing screen-scraping channels, they should continue to be transparent and open about their identities.
After 14 March 2020, failure to comply with the requirements for SCA and identification will be subject to full FCA supervisory and enforcement action.