The new rules, referred to as Strong Customer Authentication (SCA), aim to reduce the risk of online fraud and identity theft by providing better security for customers; whilst standardising the payment authentication process across Europe. They will be unaffected by Brexit; and unless an exemption applies, they occur when a payer:
- initiates an electronic payment transaction
- accesses their payment account online
- carries out any action remotely that may imply a risk of payment fraud
The FCA expects firms to develop SCA solutions that work for all groups of customers – implying that several, consumer-friendly methods of authentication may be needed. For example, firms shouldn’t assume that all of its customers are able to or want to use a mobile phone.
Back in July 2019, the European Banking Authority (EBA) first raised concerns about firms’ implementation of the SCA by the original legal deadline. It believed that more time was needed for implementation because of the complexity of the requirements, the lack of preparedness of firms across the industry, and the significant disruption to consumers.
In practice, complications arise as merchants and PSPs need to work together with multiple players in the e-commerce space, all with the aim of improving customer experience in the electronic payment processes. A blanket approach to enforce these rules by September 2019 would have led to a negative backlash, so the FCA requested UK Finance to coordinate an “industry plan” for a smoother transition towards full SCA compliance.
As a result of these discussions, the FCA has agreed not to take enforcement action against non-compliant firms from 14 September – if the firm can show they’ve taken steps to roll out SCA.
The “impact on consumers” will be felt by both traditional PSPs – such as banks and other financial institutions which “onboard” clients in a traditional, non-technology focussed way – and small firms with limited resources available. Ultimately, the purpose of the SCA is to “even the playing field” for all payment service providers; whilst ensuring that the interests of consumers are proficiently managed across a multitude of platforms and technologies.
The alignment of services is just another neat piece in Europe’s consumer protection agenda. What’s more surprising is the FCA’s acceptance of a rather generous period of delayed implementation – 18 months – despite the potential “disruption of services to consumers”. However, this delay and transitional period will be very welcome to those companies who’d struggle with a 2019 deadline and is a small compromise towards the bigger ‘customer journey’ improvement picture.
If you have any concerns on compliance with the SCA or with the EU Payments Services Directive (PSD2) in general, please contact our Regulatory team for bespoke advice tailored to your business.