Market welcomes FCA’s plan to phase-in SCA
Payments and e-commerce market participants may be breathing a huge sigh of relief as the Financial Conduct Authority (FCA) has agreed a plan that gives the industry extra time to implement the Strong Customer Authentication (SCA) rules.
From 14 September 2019, new EU rules will start to apply that impact the way in which banks or payment services providers verify their customers identity and validate specific payment instructions. The SCA rules are intended to enhance the security of payments and limit fraud during this authentication process.
Jonathan Davidson, executive director for supervision – retail and authorisations, says: “The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction”.
The new 18-month plan reflects the recent opinion of the European Banking Authority (EBA) which set out that more time was needed to implement SCA given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.
Bradley Rice, senior regulation associate at the law firm Ashurst, says: “This is a sensible move from the FCA and one the industry has been lobbying for”. Rice believes that the phased roll out should ensure a smoother transition for consumers and the banks. “But this will be the last warning.”
Michal Kissos Hertzog, CEO, from digital bank, Pepper, echoes similar sentiments to Rice, adding that the delay should really serve as a wake-up call.
“Instead of updating systems to be ready for the SCA by adopting better, faster and more agile technology, some have taken the ‘out of sight out of mind’ approach. However, implementing a digital core is crucial, as it enables any company to adapt, at speed, to consumer needs and changing regulations in an effective way,” says Hertzog.
Steven Murdoch, chief security architect at OneSpan’s Cambridge Innovation Centre, and associate professor at UCL, takes a different approach, sympathising with financial institutions.
“Clarifications from the EBA about their expectations for SCA were quite close to the deadline and the move of the EBA as a result of the Brexit vote likely contributed to disruption,” says Murdoch.
He adds that the EBA didn’t ask for anything that wasn’t already in the Second Payment Services Directive (PSD2) that was published in 2015. “There was even an 18-month implementation period following the publication of the regulatory technical standards (RTS).”
Although he believes that financial institutions were slower than necessary in implementing the published requirements and had an overly optimistic interpretation of the RTS, he takes umbrage with the fact that the September 2019 deadline is set out in law – arguing that no regulator has the authority to modify it.
“If Parliament has made a mistake then Parliament should be asked to correct it. What has happened is that industry and regulator are working together to change the effect of law to the detriment of consumer protection,” says Murdoch.
The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan.
At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.
The regulator will also continue to monitor the extent to which banks and payment service providers are meeting its expectation that they consider the impact of SCA on different groups of consumers, and provide alternative means of authentication where needed.