Strong Customer Authentication

From 14 September 2019, new rules apply that affect the way banks or other payment services providers check that the person requesting access to their account or trying to make a payment is the person permitted to make a payment and validate specific payment instructions. We have agreed to give firms extra time to implement these rules in some circumstances. We explain our expectations.

The new rules, referred to as Strong Customer Authentication (SCA), are intended to enhance the security of payments and limit fraud during this authentication process.

These rules are set in the Payment Services Regulations 2017 (PSRs) and related EU standards. Unless an exemption applies, they apply when a payer:

  • initiates an electronic payment transaction
  • accesses their payment account online
  • carries out any action remotely that may imply a risk of payment fraud

We expect firms to develop SCA solutions that work for all groups of customers. This means that you may need to provide several different methods of authentication for your customers. This includes methods that do not rely on mobile phones to cater for consumers who will not have or are unable to use a mobile phone. If this is not the case, or where firms are facing difficulties, we expect them to discuss this with us as priority. 

Minimising disruption to consumers

We also want firms to implement SCA in a way that minimises disruption to, and ensures good outcomes for, consumers. As a result, we have agreed to exercise some supervisory flexibility to give firms extra time to implement the requirements in the following areas:

Applying SCA to e-commerce

In response to concerns about industry readiness to apply SCA to e-commerce card transactions, and to minimise potential disruption to consumers and merchants, the European Banking Authority (EBA) accepted that the FCA and other National Competent Authorities may give some firms extra time to implement SCA.

At our request, UK Finance co-ordinated an industry plan to implement SCA for card-not-present transactions for e-commerce as soon as practicable.

We have reviewed the plan and welcome the industry’s commitment to a timely, coordinated and collaborative approach. We have also written to affected firms setting out our expectation.

We will not take enforcement action against firms simply for not meeting the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. 

After 14 March 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action as appropriate.

What e-commerce firms should do

Speak to your trade association and UK Finance to get more information on the agreed plan. We strongly encourage all firms to cooperate and engage with wider industry efforts to coordinate implementation of SCA in line with the plan.

In the meantime, firms need to continue to take appropriate steps to manage their fraud risk. We encourage them to be open and transparent with consumers and merchants to minimise the risk of unexpected disruption to payments.

Our agreement not to take enforcement action is meant to avoid unintended consequences for consumers and merchants. We expect:

  • firms not to act outside the agreed industry delivery plan in ways that cause unnecessary problems for consumers or merchants
  • all parties involved in card-not-present transactions, both FCA regulated and unregulated, should continue to work together over the next 18 months to ensure the smooth and timely implementation of SCA by 14 March 2021

Applying SCA to online banking

We are concerned that some third-party providers (TPPs) may not be able to continue providing their services after 14 September 2019. This is because TPPs have not always been able to use and migrate their customers to new or modified interfaces, and the implementation of SCA will prevent TPPs from accessing account data without the customer being present. This could cause significant disruption for customers of open banking services provided by TPPs.  

To avoid disruption to consumers and TPPs we have agreed an adjustment period. Therefore, in certain circumstances, firms have until 14 March 2020 to implement SCA for online banking.

Firms required to provide access to TPPs

Account servicing payment service providers (ASPSPs) are required to have a PSD2-compliant way to provide TPPs with access to account data and payment functionality by 14 September 2019. This is either by a dedicated interface based on application programming interface standards (APIs) or a modified customer interface (MCI). This remains the case.

However, where an ASPSP is providing access to TPPs through APIs, and did not have all payment accounts accessible by APIs on or before 14 June 2019, it should keep existing screen-scraping channels available during the adjustment period. This means not applying SCA to access accounts online during this period.

Where an ASPSP is providing or intends to provide access to TPPs through an MCI, it may choose not to apply SCA during the adjustment period. Where possible, these firms are encouraged to use this additional time to adjust the MCI so it can support ongoing 90-day access without the customer re-authenticating with SCA (see Article 10 of the SCA-RTS).

We encourage all ASPSPs to make use of Article 10 of the SCA-RTS.

All ASPSPs should tell TPPs how they can access accounts during the adjustment period. We encourage use of the Open Banking Implementation Entity’s transparency calendar for this purpose. 

All ASPSPs need to continue to take appropriate steps to manage their fraud risk.

Use of eIDAS certificates

During the adjustment period, ASPSPs are encouraged to allow TPPs that do not yet have an electronic identification, authentication and trust services (eIDAS) certificate and are accessing accounts via APIs, to use an equivalent certificate enabling secure identification (for instance an Open Banking certificate).

All ASPSPs should tell TPPs which certificates they will accept during the adjustment period. We encourage use of the Open Banking Implementation Entity’s transparency calendar for this purpose. 

What this means for customers 

This is likely to mean that some, but not all, customers may not be asked for strong customer authentication when accessing their account online until 14 March 2020. We expect firms communicate with customers about any relevant changes to their online banking, including timings of such changes.

What this means for TPPs

Where relevant, during the adjustment period, TPPs should be able to continue using existing screen-scraping methods to access payment accounts online.

TPPs should make every effort to move to API access where available as soon as possible during this period. By 14 March 2020, TPPs should only access these ASPSPs via APIs.

We encourage TPPs to seek more information, for instance by consulting the Open Banking Implementation Entity’s transparency calendar.

During the adjustment period, TPPs should use an eIDAs or an equivalent certificate to identify themselves. Where it is not possible to do so, for instance when accessing accounts via existing screen-scraping channels, they should continue to be transparent and open about their identities.

After the adjustment period

After 14 March 2020, failure to comply with the requirements for SCA and identification will be subject to full FCA supervisory and enforcement action as appropriate.

Brexit and SCA

The implementation of SCA is European-wide. The implementation is not affected by the current plan for the UK to leave the EU on 31 October 2019.