Our expectations of firms when implementing Strong Customer Authentication (SCA), including information on applying SCA to e-commerce and online banking.
From 14 September 2019, new rules apply that affect the way banks and other payment services providers check that the person requesting access to an account or trying to make a payment is permitted to do so. We have agreed to give firms extra time to implement these rules in some circumstances.
The new rules, referred to as SCA, are intended to enhance the security of payments and limit fraud during this authentication process.
These rules are set in the Payment Services Regulations 2017 (PSRs) and the related technical standards. They apply when a payer:
- initiates an electronic payment transaction
- accesses their payment account online
- carries out any action remotely that may imply a risk of payment fraud, unless an exemption applies
We expect firms to develop SCA solutions that work for all groups of consumers.
This means that you may need to provide several different methods of authentication for your customers. This includes methods that don’t rely on mobile phones, to cater for consumers who don’t have, or won’t want to use, a mobile phone.
Where these are not in place, or if you're facing difficulties, we expect you to discuss this with us as a priority.
Minimising disruption to consumers
We also want firms to implement SCA in a way that minimises disruption to, and ensures good outcomes for, consumers. As a result, we have agreed to provide extra time to implement the requirements in the following areas below.
Applying SCA to e-commerce
Given the impact of the coronavirus (Covid-19) crisis, we have decided to give the industry an additional 6 months to implement SCA for e-commerce, by a revised date of 14 September 2021. This will minimise potential disruption to consumers and merchants.
We previously announced that the European Banking Authority (EBA) accepted that we and other National Competent Authorities may give some firms extra time to implement SCA. The EBA’s decision was in response to concerns about industry readiness to apply SCA to e-commerce card transactions, and to minimise potential disruption to consumers and merchants.
UK Finance, as coordinator for the industry, has developed a detailed phased implementation plan and critical path with all stakeholders, which we have agreed.
Firms must take all necessary steps to comply with the revised detailed phased implementation plan and critical path to avoid the risk of enforcement action.
After 14 September 2021, any firm that fails to comply with the requirements for SCA will be subject to our supervisory and enforcement action.
What e-commerce firms should do
Speak to your trade association and UK Finance to get more information on the agreed plan. We strongly encourage all firms to cooperate and engage with wider industry efforts to coordinate implementation of SCA in line with the plan.
In the meantime, you must continue to take appropriate steps to manage your fraud risk. We encourage you to be open and transparent with consumers and merchants to minimise the risk of unexpected disruption to payments.
Our agreement not to take enforcement action is meant to avoid unintended consequences for consumers and merchants. We expect:
- firms not to act outside the agreed industry delivery plan in ways that cause unnecessary problems for consumers or merchants
- all parties involved in card-not-present transactions, both FCA regulated and unregulated, should continue to work together to ensure the smooth and timely implementation of SCA by 14 September 2021
Merchants that aren’t able to fully comply with anti-fraud requirements risk their customers’ online transactions being declined.
On 12 April, we wrote to payment service providers that provide transaction acquiring services to merchants, asking them to send an agreed industry communication to their customers.
We expect firms to take all necessary steps to support merchants, monitor merchants’ readiness and progress, and continue to explain the consequences of not being ready.
Applying SCA to online banking
Use of certificates
If you’re an account servicing payment service provider (ASPSP), you must make sure that your interface is capable of enabling a third party provider (TPP) to identify itself using an eIDAS certificate, as well as at least one other electronic form of identification issued by an independent third party.
However, you can enable TPPs to use a certificate obtained from a provider of an API programme that does not meet the requirements of the revised Article 34.
The use of these certificates is only valid when TPPs have also presented a compliant certificate to that API programme. The provider of the API programme should validate the certificate and continue checking, on your behalf, the status of the TPP’s compliant certificate. This transitional arrangement ends on 30 June 2021.
Conditions to apply the contactless exemption to SCA
The rules include exemptions to how you apply SCA, including the contactless exemption under Article 11 RTS-SCA.
If you’re an issuer, you may choose not to apply SCA to contactless point of sale transactions if specific conditions are met. We recognise the benefits to consumers and merchants of ongoing use of contactless card transactions in the UK.
Contactless charitable donations
We are aware of concerns within the charity sector that the new requirements on SCA may lead to disruption in the existing use and future growth of contactless donations.
Due to the social benefit of contactless donations, and the associated low risk of fraud, we strongly encourage card issuers and acquirers to continue to work with the charity sector to make sure that contactless donations are not disrupted due to the new SCA requirements.
Contactless charitable donations are typically made using offline terminals without functionality to support PIN entry if a transaction is stepped-up for authentication.
The introduction of SCA does not mean that these terminals need to be replaced. The industry may continue to process those payments as they currently do now, including by deciding to decline some of these transactions after the event.
You should contact us if you’re facing difficulties.
30/04/2020: Information changed Coronavirus update