Our expectations of firms when implementing Strong Customer Authentication (SCA), including information on applying SCA to e-commerce and online banking.
Since 14 September 2019, rules have applied that affect the way banks and other payment services providers check that the person requesting access to an account or trying to make a payment is permitted to do so. We have agreed to give firms extra time to implement these rules in some circumstances.
The new rules, referred to as SCA, are intended to enhance the security of payments and limit fraud during this authentication process.
These rules are set in the Payment Services Regulations 2017 (PSRs) and the related technical standards. They apply when a payer:
- initiates an electronic payment transaction
- accesses their payment account online
- carries out any action remotely that may imply a risk of payment fraud, unless an exemption applies
We expect firms to develop SCA solutions that work for all groups of consumers.
This means that you may need to provide several different methods of authentication for your customers. This includes methods that don’t rely on mobile phones, to cater for consumers who don’t have, or don’t want to use, a mobile phone.
Where these are not in place, or if you're facing difficulties, we expect you to discuss this with us as a priority.
Minimising disruption to consumers
We also want firms to implement SCA in a way that minimises disruption to, and ensures good outcomes for, consumers. As a result, we have agreed to provide extra time to implement the requirements in the following areas below.
Applying SCA to e-commerce
As of 14 March 2020, firms should comply with requirements for SCA with respect to online and mobile banking.
We previously agreed to give firms extra time to implement SCA for card-based e-commerce transactions in response to concerns about industry readiness, and to limit the impact on consumers and merchants. We wrote a Dear CEO to firms in August 2019 to outline our expectations for compliance. We also provided a further 6-month extension in response to the coronavirus (Covid-19) crisis. 14 March 2022 is the latest we expect full SCA compliance for e-commerce transactions.
We support and welcome the implementation of SCA solutions which protect consumers while minimising the potential for disruption to customers and merchants.
We expect firms to continue to take robust action to reduce the risk of fraud. If a firm can apply SCA to an e-commerce transaction it should do so.
We encourage e-commerce merchants to continue to cooperate with the cards industry to implement SCA for the benefit of consumers.
We continue to encourage merchants to now be ready to process SCA-compliant transactions in accordance with the agreed UK Finance Roadmap.
On 6 October 2021 we wrote to CEOs to reiterate our expectation that firms are fully compliant with SCA requirements by 14 March 2022, taking all reasonable steps to support consumer and merchant readiness. Any firm that fails to comply with the requirements for SCA after this date may be subject to supervisory or enforcement action, where appropriate.
CP21/3 update on scope of inherence factors
The European Banking Authority (EBA) published their view of inherence for the purpose of SCA in their June 2019 Opinion. Inherence (something the user is) is 1 of the 3 authentication elements defined under the PSRs, alongside knowledge (something only the user knows) and possession (something the user possesses).
We consulted in CP21/3 on amending our Approach Document to reflect the EBA’s view. We recognise that some firms are currently developing SCA solutions and requested a decision on this question as soon as possible.
Having considered consultation responses, we have chosen not to incorporate the EBA’s view of inherence in our Approach Document. We will publish our rationale for this decision and a summary of consultation responses in our Policy Statement later this year.
Firms must ensure that any individual SCA inherence solution they use complies with regulatory requirements, including Article 8 of our Technical Standards for Strong Customer Authentication.
What firms with e-commerce customers should do
Speak to your trade association and UK Finance to get more information on the agreed plan. To ensure readiness by 14 March 2022, we strongly encourage all firms to cooperate and engage with wider industry efforts to coordinate implementation of SCA in line with the plan.
In the meantime, you must continue to take appropriate steps to manage your fraud risk. We encourage you to be open and transparent with consumers and merchants to minimise the risk of unexpected disruption to payments.
Our agreement not to take action to enforce the strict requirements of SCA is meant to avoid unintended consequences for consumers and merchants, so long as:
- firms do not act outside the agreed industry delivery plan in ways that cause unnecessary problems for consumers or merchants
- all parties involved in card-not-present transactions, both FCA regulated and unregulated, continue to work together to ensure the smooth implementation of SCA from 1 June 2021
Merchants that aren’t able to fully comply with anti-fraud requirements risk their customers’ online transactions being declined.
On 12 April 2021, we wrote to payment service providers that provide transaction acquiring services to merchants, asking them to send an agreed industry communication to their customers.
We expect firms to take all necessary steps to support merchants, monitor merchants’ readiness and progress, and continue to explain the consequences of not being ready.
Applying SCA to online banking
Use of certificates
If you’re an account servicing payment service provider (ASPSP), you must make sure that your interface is capable of enabling a third party provider (TPP) to identify itself using an eIDAS certificate, as well as at least one other electronic form of identification issued by an independent third party.
However, you can enable TPPs to use a certificate obtained from a provider of an API programme that does not meet the requirements of the revised Article 34.
The use of these certificates is only valid when TPPs have also presented a compliant certificate to that API programme. The provider of the API programme should validate the certificate and continue checking, on your behalf, the status of the TPP’s compliant certificate. This transitional arrangement ends on 30 June 2021.
Conditions to apply the contactless exemption to SCA
The rules include exemptions to how you apply SCA, including the contactless exemption under Article 11 RTS-SCA.
If you’re an issuer, you may choose not to apply SCA to contactless point of sale transactions if specific conditions are met. We recognise the benefits to consumers and merchants of ongoing use of contactless card transactions in the UK.
Contactless charitable donations
We are aware of concerns within the charity sector that the new requirements on SCA may lead to disruption in the existing use and future growth of contactless donations.
Due to the social benefit of contactless donations, and the associated low risk of fraud, we strongly encourage card issuers and acquirers to continue to work with the charity sector to make sure that contactless donations are not disrupted due to the new SCA requirements.
Contactless charitable donations are typically made using offline terminals without functionality to support PIN entry if a transaction is stepped-up for authentication.
The introduction of SCA does not mean that these terminals need to be replaced. The industry may continue to process those payments as they currently do now, including by deciding to decline some of these transactions after the event.
You should contact us if you’re facing difficulties.
30/04/2020: Information changed Coronavirus update