From 14 September 2019, new rules apply that affect the way banks or other payment services providers check that the person requesting access to their account or trying to make a payment is the person permitted to make a payment and validate specific payment instructions. We have agreed to give firms extra time to implement these rules in some circumstances. We explain our expectations below.
The new rules, referred to as Strong Customer Authentication (SCA), are intended to enhance the security of payments and limit fraud during this authentication process.
These rules are set in the Payment Services Regulations 2017 (PSRs) and related EU standards. Unless an exemption applies, they apply when a payer:
- initiates an electronic payment transaction
- accesses their payment account online
- carries out any action remotely that may imply a risk of payment fraud
We expect firms to develop SCA solutions that work for all groups of customers. This means that you may need to provide several different methods of authentication for your customers. This includes methods that do not rely on mobile phones to cater for consumers who will not have or are unable to use a mobile phone. If this is not the case, or where firms are facing difficulties, we expect them to discuss this with us as priority.
Minimising disruption to consumers
We also want firms to implement SCA in a way that minimises disruption to, and ensures good outcomes for, consumers. As a result, we have agreed to exercise some supervisory flexibility to give firms extra time to implement the requirements in the following areas:
Applying SCA to e-commerce
In response to concerns about industry readiness to apply SCA to e-commerce card transactions, and to minimise potential disruption to consumers and merchants, the European Banking Authority (EBA) accepted that the FCA and other National Competent Authorities may give some firms extra time to implement SCA.
At our request, UK Finance co-ordinated an industry plan to implement SCA for card-not-present transactions for e-commerce as soon as practicable.
We have reviewed the plan and welcome the industry’s commitment to a timely, coordinated and collaborative approach. We have also written to affected firms setting out our expectation.
We will not take enforcement action against firms simply for not meeting the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan.
After 14 March 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action as appropriate.
What e-commerce firms should do
Speak to your trade association and UK Finance to get more information on the agreed plan. We strongly encourage all firms to cooperate and engage with wider industry efforts to coordinate implementation of SCA in line with the plan.
In the meantime, firms need to continue to take appropriate steps to manage their fraud risk. We encourage them to be open and transparent with consumers and merchants to minimise the risk of unexpected disruption to payments.
Our agreement not to take enforcement action is meant to avoid unintended consequences for consumers and merchants. We expect:
- firms not to act outside the agreed industry delivery plan in ways that cause unnecessary problems for consumers or merchants
- all parties involved in card-not-present transactions, both FCA regulated and unregulated, should continue to work together over the next 18 months to ensure the smooth and timely implementation of SCA by 14 March 2021
Applying SCA to online banking
We are concerned that some third-party providers (TPPs) may not be able to continue providing their services after 14 September 2019. This is because TPPs have not always been able to use and migrate their customers to new or modified interfaces, and the implementation of SCA will prevent TPPs from accessing account data without the customer being present. This could cause significant disruption for customers of open banking services provided by TPPs.
To avoid disruption to consumers and TPPs we have agreed an adjustment period. Therefore, in certain circumstances, firms have until 14 March 2020 to implement SCA for online banking.
Firms required to provide access to TPPs
Account servicing payment service providers (ASPSPs) are required to have a PSD2-compliant way to provide TPPs with access to account data and payment functionality by 14 September 2019. This is either by a dedicated interface based on application programming interface standards (APIs) or a modified customer interface (MCI). This remains the case.
However, where an ASPSP is providing access to TPPs through APIs, and did not have all payment accounts accessible by APIs on or before 14 June 2019, it should keep existing screen-scraping channels available during the adjustment period. This means not applying SCA to access accounts online during this period.
Where an ASPSP is providing or intends to provide access to TPPs through an MCI, it may choose not to apply SCA during the adjustment period. Where possible, these firms are encouraged to use this additional time to adjust the MCI so it can support ongoing 90-day access without the customer re-authenticating with SCA (see Article 10 of the SCA-RTS).
We encourage all ASPSPs to make use of Article 10 of the SCA-RTS.
All ASPSPs should tell TPPs how they can access accounts during the adjustment period. We encourage use of the Open Banking Implementation Entity’s transparency calendar for this purpose.
All ASPSPs need to continue to take appropriate steps to manage their fraud risk.
Use of eIDAS certificates
During the adjustment period, ASPSPs are encouraged to allow TPPs that do not yet have an electronic identification, authentication and trust services (eIDAS) certificate and are accessing accounts via APIs, to enable the use of equivalent certificates enabling secure identification (one example is Open Banking certificate).
All ASPSPs should tell TPPs which certificates they will accept during the adjustment period. We encourage use of the Open Banking Implementation Entity’s transparency calendar for this purpose.
Following the adjustment period, we expect all ASPSP and TPPs to rely on eIDAS certificates for the purpose of identification. This means that an ASPSP must ensure that its interface is capable of enabling a TPP to identify itself using only its eIDAS certificate.
Additionally, if TPPs agree voluntarily to it, ASPSPs can also enable TPPs to use a certificate obtained from a provider of an API programme, so long as that provider only issues the alternative identification certificate to a TPP that has enrolled with the API programme using its eIDAS certificate to identify itself. The provider of the API programme should continue checking, on behalf of the ASPSP, the status of the TPP’s eIDAS certificate with the Qualified Trust Service Provider (“QTSP”).
What this means for customers
This is likely to mean that some, but not all, customers may not be asked for strong customer authentication when accessing their account online until 14 March 2020. We expect firms communicate with customers about any relevant changes to their online banking, including timings of such changes.
What this means for TPPs
Where relevant, during the adjustment period, TPPs should be able to continue using existing screen-scraping methods to access payment accounts online.
TPPs should make every effort to move to API access where available as soon as possible during this period. By 14 March 2020, TPPs should only access these ASPSPs via APIs.
We encourage TPPs to seek more information, for instance by consulting the Open Banking Implementation Entity’s transparency calendar.
During the adjustment period, TPPs should use an eIDAs or an equivalent certificate to identify themselves. Where it is not possible to do so, for instance when accessing accounts via existing screen-scraping channels, they should continue to be transparent and open about their identities.
After the adjustment period
After 14 March 2020, failure to comply with the requirements for SCA and identification will be subject to full FCA supervisory and enforcement action as appropriate.
Conditions to apply the contactless exemption to SCA
The rules include exemptions to how firms apply SCA, including the contactless exemption under Article 11 RTS-SCA. Issuers may choose not to apply SCA to contactless point of sale transactions if specific conditions are met.
We recognise the benefits to consumers and merchants of ongoing use of contactless card transactions in the UK.
What it means for firms
If not already in place, all firms processing contactless card transactions should make every effort to have appropriate systems and controls so that all contactless payments meet the conditions to apply the exemption as soon as possible and by 14 March 2020 at the latest.
To continue to process contactless transactions that may not meet the conditions for applying the contactless exemption during that period, firms should also continue to maintain low fraud rates and use their current systems and controls to get as close to compliance as possible.
Firms may comply via a host-based solution, or a chip-based solution through the re-issuance of compliant chip-based cards. Firms should consider the risk of unauthorised or non-compliant contactless transactions being made and monitor the implementation of their solution. We expect firms choosing a chip-based solution to prioritise identification and re-issuance of those cards that are used by customers to make contactless payments.
Contactless charitable donations
We are aware of concerns within the charity sector that the new requirements on SCA may lead to disruption in the existing use and future growth of contactless donations.
Due to the social benefit of contactless donations, and the associated low risk of fraud, we strongly encourage card issuers and acquirers to continue to work with the charity sector to ensure that contactless donations are not disrupted due to the new SCA requirements.
Contactless charitable donations are typically made using offline terminals without functionality to support PIN entry if a transaction is stepped-up for authentication. The introduction of SCA does not mean that these terminals need to be replaced. The industry may continue to process those payments as they currently do now, including by deciding to decline some of these transactions after the event.
Coronavirus (Covid-19) and SCA
The SCA rules aim to reduce fraud. We expect firms during these difficult times to protect consumers from risks, including the risk of unauthorised transactions and fraud. More specifically, we expect firms to monitor their fraud rates and take swift action if they see their fraud rates rising or new patterns of fraud. We also understand that firms are likely to be under significant pressure during this period. So we are bringing in some changes to help.
We support the use of contactless payments and welcome the industry’s initiative to increase the contactless limit. To further facilitate this, we confirm that, in the current circumstances, we are very unlikely to take enforcement action if a firm does not apply strong customer authentication when the cumulative amount of transaction values has exceeded EUR 150 or five contactless transactions in a row. But this is only as long as the firm sufficiently mitigates the risk of unauthorised transactions and fraud, by having the necessary fraud monitoring tools and systems in place and taking swift action where appropriate.
The current challenges arising from Covid 19 are likely to affect the planned implementation of SCA for e-commerce. We welcome the progress so far and the industry’s continuing effort to meet milestones ahead of 14 March 2021. We will work closely with the industry to agree any changes to the milestones and timelines that may be needed.
The SCA requirements for online banking have applied since 14 September 2019 (with an adjustment period until 14 March 2020). For firms that haven’t met the requirements, and are facing further delays due to coronavirus, we will consider on a case-by-case basis the appropriate further measures.
In doing so, we will in particular consider:
- firms’ security around authentication to access their online banking and when making payments
- their controls and processes to reduce fraud
- whether that impact is likely to be exacerbated given the current circumstances
We will continue to monitor the situation and are keeping our decisions under review.
Firms should contact us if they are facing difficulties.