Expert Advice on New FCA Rule to Implement Strong Customer Authentication

The FCA has extended the deadline for the implementation of strong customer authentication (SCA) for online purchases by a further six months.

“Previously merchants had until 14 September 2021 to ensure that all ecommerce transactions in the UK were compliant with the SCA customer identity verification regulation, but this deadline has now been put back until 14 March 2022”.

“This further six-month extension is to ensure minimal disruption to merchants and consumers, and recognises ongoing challenges facing the industry to be ready by the previous 14 September 2021 deadline, The new 14 March 2022 deadline is the latest we expect full SCA compliance for e-commerce transactions. We previously agreed to give firms extra time to implement SCA for card-based e-commerce transactions in response to concerns about industry readiness, and to limit the impact on consumers and merchants, the FCA says.”

“Since 14 September 2019, rules have applied that affect the way banks and other payment services providers check that the person requesting access to an account or trying to make a payment is permitted to do so. We have agreed to give firms extra time to implement these rules in some circumstances.

The new rules, referred to as SCA, are intended to enhance the security of payments and limit fraud during this authentication process. These rules are set in the Payment Services Regulations 2017 (PSRs) and the related technical standards. They apply when a payer:

  • initiates an electronic payment transaction
  • accesses their payment account online
  • carries out any action remotely that may imply a risk of payment fraud unless an exemption applies
  • We expect firms to develop SCA solutions that work for all groups of consumers.

This means that you may need to provide several different methods of authentication for your customers. This includes methods that don’t rely on mobile phones, to cater for consumers who don’t have, or won’t want to use, a mobile phone”.

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ralf Ohlhausen
Ralf Ohlhausen , Executive Advisor
InfoSec Expert
May 26, 2021 2:08 pm

<p>It’s easy to understand how the pandemic has changed priorities and caused delays in many projects. However, Strong Customer Authentication (SCA) was originally meant to come into force in September 2019 and so far only non-card payment methods had to implement it. Whilst many merchants are hesitant, a recent study suggests that 37% of them expect no changes to conversion rates and indeed 31% expect to see greater conversion rates – highlighting there really shouldn’t be any further delay.</p> <p> </p> <p>With more consumers online than ever before, SCA is crucial for addressing the imbalance of security versus convenience in today’s accelerated digital era. Not only do consumers remain at risk, but the ongoing preferential treatment for card payments (not having to apply SCA) over any other type of payments (having to apply SCA) is very anti-competitive for the wider payments landscape. If the regulator agrees to suspend this application then this cannot just apply to cards, but to everyone else as well.</p>

Last edited 1 year ago by Ralf Ohlhausen
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
May 26, 2021 1:48 pm

<p style=\"font-weight: 400;\">These new rules will dramatically help reduce the threat of payment attacks and will ensure people’s accounts are better protected. However, often such rules come with threats such as fines to help nudge and implement them. The delay in implementation suggests many firms are not yet ready which may in turn be a knock on delay form their customers. </p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">Many people are still yet to default to extra layers of protection in other accounts favouring convenience of use over security. By forcing people into new procedures it has the potential of pushing people away from these services. Although it is absolutely vital to add extra verification techniques where money and personal data is concerned, this process is best implemented slowly to gain – more favourable uptake.</p>

Last edited 1 year ago by Jake Moore
2
0
Would love your thoughts, please comment.x
()
x