Our expectations of firms when implementing Strong Customer Authentication (SCA), including e-commerce and online banking.
Since 14 September 2019, rules have applied that affect the way banks and other payment services providers check that the person requesting access to an account or trying to make a payment is permitted to do so.
The new rules, referred to as SCA, are intended to enhance the security of payments and limit fraud during this authentication process.
These rules are set in the Payment Services Regulations 2017 (PSRs) and the related technical standards. They apply when a payer:
- initiates an electronic payment transaction
- accesses their payment account online
- carries out any action remotely that may imply a risk of payment fraud, unless an exemption applies
We expect firms to develop SCA solutions that work for all groups of consumers.
This means that you may need to provide several different methods of authentication for your customers. This includes methods that don’t rely on mobile phones, to cater for consumers who don’t have, or don’t want to use, a mobile phone.
Where these are not in place, or if you're facing difficulties, we expect you to discuss this with us as a priority.
Applying SCA to online banking
Use of certificates
If you’re an account servicing payment service provider (ASPSP), you must make sure that your interface is capable of enabling a third party provider (TPP) to identify itself using an eIDAS certificate, as well as at least one other electronic form of identification issued by an independent third party.
SCA reauthentication exemption
In PS 21/19 we introduced several changes to the Regulatory Technical Standards on Strong Customer Authentication and Secure Communication (SCA-RTS). This includes the creation of a new exemption under Article 10A which, if adopted by ASPSPs, means customers will not need to reauthenticate when they access their account information through a TPP. Instead, TPPs will be required to obtain explicit consent from customers at least every 90 days.
We strongly encourage ASPSPs to apply the exemption as soon as possible after the changes to the SCA-RTS has come into effect on 26 March 2022 with a view to the widespread adoption of the exemption by 30 September 2022. Implementing this change will help remove the barriers we identified to the continued growth of open banking and to support competition and innovation in the sector.
We expect TPPs to be technically ready to reconfirm customer consent under Article 36(6) of the SCA-RTS as soon as possible after 26 March. However, up to 30 September 2022 we will not object if TPPs do not reconfirm customer consent, provided that SCA is applied at least every 90 days during that period. This is to limit the risk of consumer disruption and to ensure that either SCA has been applied or re-consent obtained in any 90-day period.
Conditions to apply the contactless exemption to SCA
The rules include exemptions to how you apply SCA, including the contactless exemption under Article 11 RTS-SCA.
If you’re an issuer, you may choose not to apply SCA to contactless point of sale transactions if specific conditions are met. We recognise the benefits to consumers and merchants of ongoing use of contactless card transactions in the UK.
Contactless charitable donations
We are aware of concerns within the charity sector that the new requirements on SCA may lead to disruption in the existing use and future growth of contactless donations.
Due to the social benefit of contactless donations, and the associated low risk of fraud, we strongly encourage card issuers and acquirers to continue to work with the charity sector to make sure that contactless donations are not disrupted due to SCA requirements.
Contactless charitable donations are typically made using offline terminals without functionality to support PIN entry if a transaction is stepped-up for authentication.
The introduction of SCA does not mean that these terminals need to be replaced. The industry may continue to process those payments as they currently do now, including by deciding to decline some of these transactions after the event.
You should contact us if you’re facing difficulties.
30/04/2020: Information changed Coronavirus update