SCA: enforcement delayed
4 Sep 2019 12:09 PM
The FCA has taken the decision to delay the enforcement of strong customer authentication (SCA), set in the Payment Services Regulations 2017 (PSRs), by a further 18 months.
Strong Customer Authentication, are intended to enhance the security of payments and limit fraud during this authentication process. SCA affects the way banks or other payment services providers check that the person requesting access to their account or trying to make a payment is the person permitted to make a payment and validate specific payment instructions.
SCA applies when a payer:
- initiates an electronic payment transaction
- accesses their payment account online
- carries out any action remotely that may imply a risk of payment fraud
The new deadline for enforcement of SCA is now 14 March 2021. Any firm that fails to comply with the requirements for SCA, after this date, will be subject to full FCA supervisory and enforcement action as appropriate.
The FCA indicated that all parties involved in card-not-present transactions, both FCA regulated and unregulated, should continue to work together over the next 18 months to ensure the smooth and timely implementation of SCA by 14 March 2021.
SCA and PSD2: same deadline but a 6-month transition period
Account servicing payment service providers are required to have a PSD2-compliant way to provide TPPs with access to account data and payment functionality by 14 September 2019. This is either by a dedicated interface based on application programming interface standards or a modified customer interface. This remains the case.
However, to avoid disruption to consumers and TPPs the FCA has agreed an adjustment period of six months. Therefore, in certain circumstances, firms have until 14 March 2020 to implement SCA for online banking.
After 14 March 2020, failure to comply with the requirements for SCA and identification will be subject to full FCA supervisory and enforcement action as appropriate.
This is likely to mean that some, but not all, customers may not be asked for strong customer authentication when accessing their account online until 14 March 2020. Firms are expected to communicate with customers about any relevant changes to their online banking, including timings of such changes.