The UK's Financial Conduct Authority (FCA) has confirmed an 18-month delay to the introduction of Secure Customer Authentication (SCA) rules for e-commerce transactions.
From September, the SCA regulation under PSD2 is supposed to mean that European shoppers will have to authenticate online payments over EUR30 with two of the following: something they know (like a password), are (fingerprint/face ID), or have (phone).
However, accepting the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers, the European Banking Authority in June paved the way for some firms, on an "exceptional basis", to get an extension if cleared by national authorities.
The UK's FCA quickly indicated that it would give the industry extra time and has now confirmed an 18-month implementation plan for card issuers, payments firms and online retailers. This is in line with recommendations from UK Finance and European trade association EPSM.
Firms will not face enforcement action after September as long as there is evidence that "they have taken the necessary steps to comply with the plan".
Jonathan Davidson, executive director, supervision - retail and authorisations, FCA, says: "The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster.
"While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction."
Eric Leenders, MD, personal finance, UK Finance, responded to the move: "Today’s FCA plan, which supports our proposals for a managed rollout, will help the industry ensure a timely migration to SCA and result in the best outcomes for consumers while effectively balancing both convenience and security."
The Central Bank of Ireland is also delaying the roll out of SCA rules.