/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.
UK regulator offers 18-month delay for Strong Customer Authentication rules

UK regulator offers 18-month delay for Strong Customer Authentication rules

The UK's Financial Conduct Authority (FCA) has confirmed an 18-month delay to the introduction of Secure Customer Authentication (SCA) rules for e-commerce transactions.

From September, the SCA regulation under PSD2 is supposed to mean that European shoppers will have to authenticate online payments over EUR30 with two of the following: something they know (like a password), are (fingerprint/face ID), or have (phone).

However, accepting the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers, the European Banking Authority in June paved the way for some firms, on an "exceptional basis", to get an extension if cleared by national authorities.

The UK's FCA quickly indicated that it would give the industry extra time and has now confirmed an 18-month implementation plan for card issuers, payments firms and online retailers. This is in line with recommendations from UK Finance and European trade association EPSM.

Firms will not face enforcement action after September as long as there is evidence that "they have taken the necessary steps to comply with the plan".

Jonathan Davidson, executive director, supervision - retail and authorisations, FCA, says: "The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster.

"While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction."

Eric Leenders, MD, personal finance, UK Finance, responded to the move: "Today’s FCA plan, which supports our proposals for a managed rollout, will help the industry ensure a timely migration to SCA and result in the best outcomes for consumers while effectively balancing both convenience and security."

The Central Bank of Ireland is also delaying the roll out of SCA rules.

Comments: (2)

Melvin Haskins
Melvin Haskins - Haston International Limited - 13 August, 2019, 17:14Be the first to give this comment the thumbs up 0 likes

What is complex about doing this?

John Wojewidka
John Wojewidka - FaceTec - Las Vegas, Nv 15 August, 2019, 01:38Be the first to give this comment the thumbs up 0 likes

That 18 months should be focused putting teeth into requirements for performance verifications, particulary claims of liveness detection, the only technology that seems to provide a robust defence. Maybe it's time to mandate tested/certified liveness. If a vendor can't transparently meet this important security threshold, they should be forced back to the drawing board. On their own, most vendors will spend more time spinning their messages than innovating and fixing problems.