/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.
UK Finance recommends 18-month delay for new authentication rules

UK Finance recommends 18-month delay for new authentication rules

UK Finance is recommending a minimum 18-month delay to the introduction of Secure Customer Authentication rules in the UK, with a further one-year extension for the hospitality and travel sector.

Taking its lead from the European Banking Authority, the UK's Financial Conduct Authority in June confirmed a delay to the enforcement of stronger payment security standards to give firms more time to prepare.

With the retail sector warning that more than a quarter of payments would fail under the new regime - which demands a two-step verification process for all online purchases over EUR30 - the FCA commissioned UK Finance to draw up an alternative timetable for implementation.

This followed a ruling by the EBA that national authorities could “provide limited additional time” from the initial September 2019 deadline to enable companies to get their act together.

UK Finance is expected to present its recommendations to the FCA next week. They call for a revised March 2021 deadline to implement most of the technical requirements, and a further six months for a full-scale roll out. Companies in the hospitality and travel sector will be given until March 2022 to untangle their “incredibly complex” payment systems.

Discussions are believed to be ongoing among national policy makers over the possibility of co-ordinating the new timetable on a cross-border basis.

Comments: (7)

A Finextra member
A Finextra member 07 August, 2019, 15:05Be the first to give this comment the thumbs up 0 likes How does this relate to ‘Brexit’ ?
Melvin Haskins
Melvin Haskins - Haston International Limited - 07 August, 2019, 15:49Be the first to give this comment the thumbs up 0 likes

It means from 1st November 2019 we no longer have to adhere to the EBA, except for Euro payments.

A Finextra member
A Finextra member 08 August, 2019, 14:15Be the first to give this comment the thumbs up 0 likes

It means the retail sector didn't understand and did nto take the time to actually find out. Why have other markets, Scandinavia for instance, said they will be ready>

Raymond Lee
Raymond Lee - PHOS - London 08 August, 2019, 14:16Be the first to give this comment the thumbs up 0 likes

Melvin, it still means that if I want to use my UK issued card, to make a purchase outside of the UK, the card issuer will still need to provide SCA of some sort

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 08 August, 2019, 14:50Be the first to give this comment the thumbs up 0 likes

Kudos to whoever that pushed back on the regulators to create this postponement. SCA will indeed be a major conversion killer and blood pressure booster, as we've seen in India. In the USA, they've been postponing FFIEC 2FA guidelines since 2005, it's still not happened. Let's see how long the EU postponement lasts.

Kevin Smith
Kevin Smith - Riskskill - Reading 08 August, 2019, 18:25Be the first to give this comment the thumbs up 0 likes

Common sense is eventually being applied here, albeit very late in the day. SCA is very complex, its implementation across so many stakeholders needs to be viewed as not dissmaliar to the historic national implementation of chip and PIN across Europe. The specifications, guidance and clarification of implementation requirements have been slow in delivery and refinement. It requires the partipcaption, engagement of and communication to all stakeholders. Further to earlier comments and observations, the UK is definitely not alone in flagging these SCA related concerns, all European markets are having similar discussions on "are we really going to be ready by 14/09/19, when will we realistically be ready, what needs to happen, what needs to be communicated and to whom". The real implications of poor understanding, not being ready and the threat of penalties for non-compliance would have significant negative imapct on merchants and consumers as the end users  - not just issuers and acquirers. It has taken strong industry pressure to get UK Finance and FCA to recognise that we collectively are not ready but must have a realistic plan on readiness and compliance with EBA requirements. A suggested delay of 18 months to compliance enforcement will enable stakeholders more time to implement. However, ongoing monitoring and pressure will be critical to ensure parties do not leave everything to the last minute. There will be no more delays. The proposed delay in enforcement after 14/09/19 must be used to ensure that we continue to focus on reducing fraud, educating merchants and consumers and getting the implementation right to minimise adverse impact for merchants and consumers.

John Wojewidka
John Wojewidka - FaceTec - Las Vegas, Nv 08 August, 2019, 22:08Be the first to give this comment the thumbs up 0 likes

SCA itself is not necessarily complex. But, it is ill-informed. Because of that, slowing down the requirement is a good idea. There are two reasons for its lack of understanding. The first is governments are relying on vendors ("experts") to provide the foundation of understanding about how it works. Now, they may not have many other sources to edify them, but this is fundamentally flawed. Which brings up the second reason for the befuddlement: the vendors themselves. They are largely not equipped to deliver, so promote the way they do things today to fit into a model that requires something far more effective. For example, a two-step requirement is just as dangerous as a single step of either step - itself - is not secure. All it does is increase the attack surface, giving bad actors more choices.

The truth is, most systems that claim to support SCA are simply inadequate. And all the various messages the governing bodies hear from their consultants are conflicting, at best, because of it. Far more objective and informed oversight is an absolute must. As is a requirement that all vendors pass performance tests that transparently indicate whether they deliver on their security promises, or not. If these two things don't get fixed during this recess, nothing much will change - except that the reasons for SCA will become much more critical as the bad guys continuously hone their skills.