How UK and EU strong customer authentication rules differ

Out-Law Analysis | 22 Nov 2022 | 10:42 am | 7 min. read

There is growing divergence between UK and EU rules that are intended to enhance the security of payments and limit fraud, with a knock-on impact for payment service providers (PSPs) that operate in both jurisdictions.

Detailed ‘strong customer authentication’ (SCA) regulatory technical standards (RTS) were developed by the European Banking Authority (EBA) under the EU’s second Payment Services Directive (PSD2) at a time when the UK was still an EU member state. However, following Brexit, when these became retained EU law in the UK, there are two versions of the SCA RTS – the UK version (UK SCA RTS) and the EU version (EU SCA RTS). In recent months clear differences have begun to emerge between the two as authorities in the UK and EU have begun to update their respective SCA requirements.

An overview of the SCA standards

SCA is required under PSD2 to facilitate access to payment accounts’ data held by banks and other ‘account servicing payment service providers’ (ASPSPs).

At the heart of the SCA RTS are requirements designed to make sure that ASPSPs know that the person requesting access to an account online or trying to make an electronic payment is either the customer themselves or someone who has their consent to do so. The SCA RTS set out the types of information that can be relied upon by the ASPSP for verifying the identity of a payment account holder. Those elements are something the account holder knows, something they possess and something they are – at least two of those factors must be present and independent of one another for the identity verification requirements to be met.

The SCA requirements in the RTS also stipulate the mechanism through which third party account information service providers (AISPs) and payment initiation service providers (PISPs) can respectively access the data on, or initiate payments on accounts, held by ASPSPs. ASPSPs must either facilitate access through the customer's normal online banking platforms, or through a 'dedicated interface' – an application programming interface (API) – for that purpose.

Examples of UK and EU divergence

Brexit has provided UK law makers and regulators with scope to alter their approach to UK law and regulation that has its origins in EU law. This is beginning to happen in the context of the EU-derived SCA standards in the UK SCA RTS. Additionally, as changes that EU regulators make to the EU SCA RTS do not need to be followed in the UK this provides further potential for the requirements to differ, which firms operating in both jurisdictions will also need to monitor.

In November 2021, the Financial Conduct Authority (FCA) took the opportunity, after engaging with industry, to set out changes to the UK SCA RTS and accompanying guidance (476-page / 4.1MB PDF).

Further differences between the UK SCA RTS and the EU SCA RTS emerged in August 2022 when the European Commission published amendments to the EU SCA RTS. These revised standards are not yet in force. Subject to any late objections from EU law makers, they look set to apply from an as-yet-unspecified date in spring 2023.

Barber Andrew

Andrew Barber

Partner

It looks inevitable that the UK and EU SCA RTS will further diverge over time

Here we explore some of the most notable differences for businesses.

The use of behavioural data for verifying customers’ identity

Under both the EU SCA RTS and the UK SCA RTS, verifying the identity of payment account holders can include relying on information that reflects something inherent in that customer.

Guidance developed by the European Banking Authority (EBA) to complement and clarify the EU SCA RTS states that the concept of ‘inherence’ concerns biometrics, both biological and behavioural, related to physical and physiological characteristics as well as the behaviour of the physical body, in any combination. Examples of compliant inherent characteristics include fingerprints, hand and face shapes, as well as voice recognition, heart rate, typing and swiping patterns, and device holding patterns. The EBA’s view is that inherence is limited to physical and physiological characteristics and behavioural processes created by the body.

The FCA has said, though, that it believes the EBA position “does not … accurately reflect the meaning of inherence”. It has adopted a more flexible interpretation after noting that some businesses in the UK payments market believe “SCA solutions not necessarily linked to physical properties of the body are potentially highly effective”.

It said: “Inherence can be defined as a characteristic attributable to a person regardless of whether it relates to a physical property of the body (for example a fingerprint) or a behavioural characteristic (for example, detailed shopping patterns). In particular, we consider that behavioural analytics could potentially be used to verify the behavioural characteristics of an individual for the purpose of SCA. We agree that this approach could enable SCA solutions which are better suited to vulnerable consumers.”

While the FCA refused to endorse specific solutions on the market, it has said that behavioural characteristics “may constitute a valid inherence element”.

Exemptions from the SCA requirements

Since the EU SCA RTS were first adopted by the EU, which then included the UK, ASPSPs have had the option to voluntarily exempt themselves from applying SCA protocols in certain, limited circumstances such as where there are recurring or low value transactions or contactless payments at point of sale.

Changes relating to online access of payment account information and 90-day reauthentication

There was also an exemption in the EU SCA RTS relating to payment account information. This exemption has now been revised in both the EU and UK.

Under this exemption, as it applied originally, ASPSPs could opt to exempt themselves from applying SCA where, without disclosing sensitive personal data, a user accessed online their balance and/or payment transaction data from the last 90 days, in either case on one or more of their designated accounts. ASPSPs could apply this exemption provided it was not the first time such information was accessed by the user online and, in the case of the payment transaction data, not more than 90 days had passed since the user last accessed it and SCA was then carried out. To use the exemption the ASPSPs were also required to have transaction monitoring mechanisms in place which enabled them to detect unauthorised or fraudulent payment transactions.

The original EU SCR RTS exemption still applies under the UK SCA RTS, but the FCA has added a further exemption from SCA that it has “strongly encourage[d]” ASPSPs to apply. The new exemption seeks to improve the customer experience and the high-level of drop out in use of third-party providers (TPPs).

The FCA’s new exemption allows ASPSPs not to apply SCA protocols if the user is seeking to access their account balance and/or payment transactions executed in the last 90 days in either case on one or more payment accounts through an AISP. In such cases, the exemption means customers don’t have to reauthenticate with their ASPSP every 90 days when accessing their information through an AISP, as it is the AISP who is required to reconfirm with their customer at least every 90 days their explicit consent for the AISP to access their data. Such consent does not have to be communicated to ASPSPs which retain discretion whether and when they require SCA to be applied or to apply the exemption. However, ASPSPs do have to have authenticated the first time the user accessed their account information through the AISP. The exemption can also only be used provided the ASPSP has transaction monitoring mechanisms in place enabling it to detect unauthorised or fraudulent payment transactions.

The FCA said its new exemption will “help save customers time and reduce friction in the customer experience when using account information services”.

The European Commission has gone further than the FCA.

It intends to make it mandatory for ASPSPs to apply a new exemption from SCA where a user accesses their balance or last 90 day’s payment transactions online through an AISP, in either case for one or more payment accounts and without disclosing any sensitive data. This exemption applies if SCA was applied when the user first accessed the information online through the AISP and not more than 180 days have passed. Nonetheless, ASPSPs will be able to apply SCA if they have “objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account”.

This new exemption has been prepared in response to what the Commission has described as “very divergent practices” in the market. It said some ASPSPs were requiring SCA every 90 days, others at shorter intervals, and others not applying the exemption from SCA at all and requesting SCA for every account access.

The new mandatory exemption will not need to be applied to contingency mechanisms that ASPSPs provide as back-ups to any dedicated interface, provided the ASPSPs do not apply the voluntary exemption from SCA when the user accesses its payment account information online directly in their “direct customer channels”.

The European Commission changes mean that the scope of the original voluntary exemption will be limited to instances where the customer accesses the account information directly, in which case ASPSPs will be able to apply SCA – or not – at their discretion.

The timeline for the renewal of SCA will also be extended from every 90 days to every 180 days, both when the information is accessed through an AISP or directly by the customer.

Disclosure of technical specifications

A further example of the growing divergence between the UK and EU SCA RTS is the tighter timescale that the European Commission intends to apply to ASPSPs in relation to the disclosure of changes to the technical specification of their interface.

While ASPSPs are obliged to make available to PISPs, AISPs and PSPs details of changes to their interface’s technical specification as soon as possible and no less than three months before the change is implemented in the UK, the Commission has proposed to require that disclosure no less than two months before the changes are implemented in the EU.

The prospect of further divergence

It looks inevitable that the UK and EU SCA RTS will further diverge over time.

The FCA has, for example, said in light of feedback to its consultation on changes to the UK’s SCA-RTS that it could, in future consultations, consider changes to the corporate exemption – which allows SCA to be waived for payments by payers who are not consumers, where a secure corporate payment process or protocols apply. As a result, it appears the FCA is receptive to the market’s feedback around changes to the SCA requirements in the UK and that these could drive changes that in future take the UK regime yet further from that of the EU. That said, further changes will take time, not least because of the FCA’s current workload.

Co-written by Andrew Barber, Josie Day, Lucia Doran and Rucsandra Bratu of Pinsent Masons.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.