23/09/2019

Strong Customer Authentication to be delayed for the financial sector

Since 14 September 2019, Payment Service Providers (PSP) are required by EU legislation to take extra steps in the verification of their customers and the validation of specific payment instructions. However, the Financial Conduct Authority (FCA) has agreed to postpone the enforcement of the new directive until 14 March 2020, giving financial firms more time to implement these practices. Oliver Woodhouse explains.

The new rules, referred to as Strong Customer Authentication (SCA), aim to reduce the risk of online fraud and identity theft by providing better security for customers; whilst standardising the payment authentication process across Europe. They will be unaffected by Brexit; and unless an exemption applies, they occur when a payer:

  • initiates an electronic payment transaction
  • accesses their payment account online
  • carries out any action remotely that may imply a risk of payment fraud

The FCA expects firms to develop SCA solutions that work for all groups of customers – implying that several, consumer-friendly methods of authentication may be needed. For example, firms shouldn’t assume that all of its customers are able to or want to use a mobile phone.

Back in July 2019, the European Banking Authority (EBA) first raised concerns about firms’ implementation of the SCA by the original legal deadline. It believed that more time was needed for implementation because of the complexity of the requirements, the lack of preparedness of firms across the industry, and the significant disruption to consumers.

In practice, complications arise as merchants and PSPs need to work together with multiple players in the e-commerce space, all with the aim of improving customer experience in the electronic payment processes. A blanket approach to enforce these rules by September 2019 would have led to a negative backlash, so the FCA requested UK Finance to coordinate an “industry plan” for a smoother transition towards full SCA compliance.

As a result of these discussions, the FCA has agreed not to take enforcement action against non-compliant firms from 14 September – if the firm can show they’ve taken steps to roll out SCA.

The “impact on consumers” will be felt by both traditional PSPs – such as banks and other financial institutions which “onboard” clients in a traditional, non-technology focussed way – and small firms with limited resources available. Ultimately, the purpose of the SCA is to “even the playing field” for all payment service providers; whilst ensuring that the interests of consumers are proficiently managed across a multitude of platforms and technologies.

The alignment of services is just another neat piece in Europe’s consumer protection agenda. What’s more surprising is the FCA’s acceptance of a rather generous period of delayed implementation – 18 months – despite the potential “disruption of services to consumers”. However, this delay and transitional period will be very welcome to those companies who’d struggle with a 2019 deadline and is a small compromise towards the bigger ‘customer journey’ improvement picture.

If you have any concerns on compliance with the SCA or with the EU Payments Services Directive (PSD2) in general, please contact our Regulatory team for bespoke advice tailored to your business.

Oliver Woodhouse (Capital Law)
Oliver Woodhouse
Associate
Share post on
Related Stories
29/07/2021
Welsh financial services: setting up for success post-Brexit
22/07/2021
Host Authorised Fund Managers found lacking in FCA review
16/07/2021
Insuring a new asset class: the NFT problem

Capital Law Limited is a company (number 05841213) registered in England and Wales, whose registered office is at Registered Office: Capital Building, Tyndall Street, Cardiff CF10 4AZ T: 0333 2400 489 | E: info@capitallaw.co.uk ¦ VAT no. 287 1463 77. Capital Law Limited is authorised and regulated by the Solicitors Regulation Authority SRA ID: 644688.