Strong customer authentication (SCA) requirements under the Payment Services Regulations 2017 technically came into effect on 14 September 2019 – our previous article covering SCA can be found here.  However, the deadlines for complying with SCA requirements have been extended several times due to challenges in implementation. 

SCA must be applied whenever a payer:

  • initiates an electronic payment transaction
  • accesses their payment account online (whether directly or through an account information service provider (AISP))
  • carries out any action remotely that may imply a risk of payment fraud, unless an exemption applies

Payment service providers (PSPs) were required to comply with SCA requirements with respect to online and mobile banking by 14 March 2020.

In relation to card-based e-commerce transactions, the FCA granted an extension of time for implementation due to concerns about industry readiness and the impact on consumers and merchants, and another extension in response to the Covid-19 crisis.  The industry continues to face implementation challenges and so the FCA has granted a further 6-month extension from 14 September 2021 to 14 March 2022 for full SCA compliance for e-commerce transactions.  In the meantime, the FCA still expects firms to continue to take robust action to reduce the risk of fraud.

SCA requirements do not only impact PSPs.  E-commerce merchants need to cooperate with the cards industry to implement SCA.  The FCA points out that merchants that aren’t able to fully comply with anti-fraud requirements risk their customers’ online transactions being declined.  The FCA is still encouraging merchants to process SCA-compliant transactions from 1 June 2021 in accordance with the agreed UK Finance Roadmap.  After 14 March 2022 any failure to comply with SCA requirements may result in FCA supervisory or enforcement action. 

A reminder: what is SCA?

SCA is a means by which PSPs check that a person requesting access to an account or trying to make a payment is permitted to do so, and must include at least two of the following factors: 

  • something known only by the payment service user ("knowledge")
  • something held only by the payment service user ("possession") and
  • something inherent to the payment service user ("inherence")

What are the key legal and regulatory requirements in the UK?

The key sources of requirements include:

  • Payment Services Regulations 2017
  • Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication Instrument 2019 (UK SCA-RTS)
  • Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication (Amendment of Testing Provisions) Instrument 2019

The 2019 instruments listed above amended and revoked Commission Delegated Regulation (EU) 2018/389, which supplements PSD2 with regard to RTS for SCA and common and secure open standards of communication. 

For more information about steps that you should take in preparation for SCA compliance, please get in touch with James Gill or Wendy Saunders.