Our expectations of firms when implementing Strong Customer Authentication (SCA), including information on applying SCA to e-commerce and online banking.
Since 14 September 2019, rules have applied that affect the way banks and other payment services providers check that the person requesting access to an account or trying to make a payment is permitted to do so. We have agreed to give firms extra time to implement these rules in some circumstances.
The new rules, referred to as SCA, are intended to enhance the security of payments and limit fraud during this authentication process.
These rules are set in the Payment Services Regulations 2017 (PSRs) and the related technical standards. They apply when a payer:
- initiates an electronic payment transaction
- accesses their payment account online
- carries out any action remotely that may imply a risk of payment fraud, unless an exemption applies
We expect firms to develop SCA solutions that work for all groups of consumers.
This means that you may need to provide several different methods of authentication for your customers. This includes methods that don’t rely on mobile phones, to cater for consumers who don’t have, or won’t want to use, a mobile phone.
Where these are not in place, or if you're facing difficulties, we expect you to discuss this with us as a priority.
Minimising disruption to consumers
We also want firms to implement SCA in a way that minimises disruption to, and ensures good outcomes for, consumers. As a result, we have agreed to provide extra time to implement the requirements in the following areas below.
Applying SCA to e-commerce
As of 14 March 2020, firms should already be complying with requirements for SCA with respect to online and mobile banking.
We previously agreed to give firms extra time to implement SCA for card-based e-commerce transactions in response to concerns about industry readiness, and to limit the impact on consumers and merchants. We also provided a further 6-month extension in response to the coronavirus (Covid-19) crisis.
We support and welcome the implementation of SCA solutions which protect consumers while minimising the potential for disruption to customers and merchants.
The development and roll out of SCA involves coordination across a number of market participants. We recognise the challenges facing the industry to be ready by 14 September 2021; we have therefore decided to extend our deadline by 6 months to 14 March 2022. The extended date is the latest we expect full SCA compliance for e-commerce transactions.
We expect firms to continue to take robust action to reduce the risk of fraud. If a firm can apply SCA to an e-commerce transaction it should do so.
We encourage e-commerce merchants to continue to cooperate with the cards industry to implement SCA for the benefit of consumers.
We continue to encourage merchants to be ready to process SCA-compliant transactions from 1 June 2021 in accordance with the agreed UK Finance Roadmap.
After 14 March 2022, any firm that fails to comply with the requirements for SCA will be subject to our supervisory and enforcement action.
What firms with e-commerce customers should do
Speak to your trade association and UK Finance to get more information on the agreed plan. We strongly encourage all firms to cooperate and engage with wider industry efforts to coordinate implementation of SCA in line with the plan.
In the meantime, you must continue to take appropriate steps to manage your fraud risk. We encourage you to be open and transparent with consumers and merchants to minimise the risk of unexpected disruption to payments.
Our agreement not to take enforcement action is meant to avoid unintended consequences for consumers and merchants. We expect:
- firms not to act outside the agreed industry delivery plan in ways that cause unnecessary problems for consumers or merchants
- all parties involved in card-not-present transactions, both FCA regulated and unregulated, should continue to work together to ensure the smooth and timely implementation of SCA from 1 June 2021
Merchants that aren’t able to fully comply with anti-fraud requirements risk their customers’ online transactions being declined.
On 12 April, we wrote to payment service providers that provide transaction acquiring services to merchants, asking them to send an agreed industry communication to their customers.
We expect firms to take all necessary steps to support merchants, monitor merchants’ readiness and progress, and continue to explain the consequences of not being ready.
Applying SCA to online banking
Use of certificates
If you’re an account servicing payment service provider (ASPSP), you must make sure that your interface is capable of enabling a third party provider (TPP) to identify itself using an eIDAS certificate, as well as at least one other electronic form of identification issued by an independent third party.
However, you can enable TPPs to use a certificate obtained from a provider of an API programme that does not meet the requirements of the revised Article 34.
The use of these certificates is only valid when TPPs have also presented a compliant certificate to that API programme. The provider of the API programme should validate the certificate and continue checking, on your behalf, the status of the TPP’s compliant certificate. This transitional arrangement ends on 30 June 2021.
Conditions to apply the contactless exemption to SCA
The rules include exemptions to how you apply SCA, including the contactless exemption under Article 11 RTS-SCA.
If you’re an issuer, you may choose not to apply SCA to contactless point of sale transactions if specific conditions are met. We recognise the benefits to consumers and merchants of ongoing use of contactless card transactions in the UK.
Contactless charitable donations
We are aware of concerns within the charity sector that the new requirements on SCA may lead to disruption in the existing use and future growth of contactless donations.
Due to the social benefit of contactless donations, and the associated low risk of fraud, we strongly encourage card issuers and acquirers to continue to work with the charity sector to make sure that contactless donations are not disrupted due to the new SCA requirements.
Contactless charitable donations are typically made using offline terminals without functionality to support PIN entry if a transaction is stepped-up for authentication.
The introduction of SCA does not mean that these terminals need to be replaced. The industry may continue to process those payments as they currently do now, including by deciding to decline some of these transactions after the event.
You should contact us if you’re facing difficulties.
30/04/2020: Information changed Coronavirus update