The U.K. Financial Conduct Authority has announced in a "Dear CEO" letter that it will not take enforcement action against firms that are not compliant with Strong Customer Authentication requirements for electronic payment transactions by the legal deadline of September 14, 2019. The exemption from enforcement will apply only to card-not-present e-commerce transactions. In order to qualify for the exemption, firms must demonstrate that they have taken the necessary steps to comply with UK Finance's plan for implementing SCA by March 14, 2021.
The SCA requirements were established at an EU level by regulatory technical standards published by the European Banking Authority in accordance with the revised Payment Services Directive. The RTS came into force on March 14, 2018 and will apply legally from September 14, 2019, meaning Member States must generally mandate compliance with the standards in their individual jurisdictions by that date. The RTS set out requirements for the security measures that payment services providers must implement, including the introduction of transaction monitoring mechanisms enabling them to detect unauthorized or fraudulent payment transactions and standards around customer authentication, such as the need for a multi-step process including at least two out of the three possible identifying factors of knowledge, possession and inherence.
Earlier this year, the EBA issued an Opinion responding to industry questions on the nature of authentication practices, including confirmation that where firms were unable to implement acceptable SCA procedures by the September 14, 2019 deadline, national regulators could introduce limited additional time periods for migration. While the FCA has elected to exempt relevant firms from enforcement action, the Dear CEO letter stresses that firms should speak to their trade associations and UK Finance to obtain further information on plans for implementation of SCA and to continue to take action to manage risks of fraud. The letter also states that firms should not act outside the agreed plan for delivery of SCA in a way that may cause problems for consumers or merchants and that all market participants should work together towards a timely implementation of SCA. In particular, firms are expected to manage any potentially negative effects on vulnerable, less digitally engaged or digitally remote customers.
View the FCA's Dear CEO letter.
View details of the EU legislation on strong customer authentication.
View details of the FCA's response to the EBA's Opinion.