Out-Law / Your Daily Need-To-Know
Deadlines that banks and other UK payment service providers (PSPs) have been set for implementing 'strong customer authentication' (SCA) standards for e-commerce could be pushed back in light of the coronavirus crisis, the Financial Conduct Authority (FCA) has hinted.
SCA standards, which are intended to enhance the security of payments and limit fraud, took effect in EU law in September last year, but the European Banking Authority (EBA) granted national authorities permission to relax their approach to enforcement in limited circumstances amidst technical challenges faced by industry and associated delays in the implementation of the standards.
The FCA subsequently endorsed an industry-led plan to deliver full compliance by 14 March 2021. The plan includes six-monthly milestones of 14 March 2020 and 14 September 2020 by which firms are expected to have completed a range of actions on their journey to full compliance.
However, the UK regulator has now acknowledged that firms' actions on implementation are "likely" to be impacted as they grapple with the challenges arising out of the outbreak of coronavirus, officially Covid-19, and suggested that the future milestones might be adjusted.
"We welcome the progress so far and the industry’s continuing effort to meet milestones ahead of 14 March 2021," the FCA said in a recent update on SCA. "We will work closely with the industry to agree any changes to the milestones and timelines that may be needed."
The FCA said it will "consider on a case-by-case basis the appropriate further measures" in cases where businesses have not met the SCA requirements on online banking by the 14 March 2020 milestone date and now face "further delays" as a result of coronavirus.
"In doing so, we will in particular consider: firms’ security around authentication to access their online banking and when making payments; their controls and processes to reduce fraud; whether that impact is likely to be exacerbated given the current circumstances," the FCA said.
The FCA also announced that PSPs that loosen SCA protocols for contactless transactions in light of the Covid-19 pandemic are unlikely to face enforcement action in the UK, so long as they take other steps to address the risk of fraud.
The outbreak of Covid-19 has accelerated demand for contactless payments amidst fears that the virus could be spread by the handling of cash, or through the use of 'chip and pin' machines. The spending limit for contactless payments in the UK was increased on 1 April to £45 from £30 in response.
EU payment services laws, however, are designed to prevent card holders from being able to make continuous regular or upper-limit contactless payments without being subject to checks on their identity.
Specifically, SCA checks must be initiated where the individual amount of the contactless transaction exceeds €50. SCA checks are also required where the cumulative amount of contactless payments made since the last SCA check exceeds €150, or where the number of contactless transactions since the last SCA check exceeds five.
The SCA standards, developed under the second Payment Services Directive (PSD2), aim to make sure that banks and other payment services providers (PSPs) know that the person requesting access to an account or trying to make a payment is either the customer or someone who has their consent.
In light of the Covid-19 pandemic, however, the FCA has softened its approach to enforcement of those rules.
"We support the use of contactless payments and welcome the industry’s initiative to increase the contactless limit," the FCA said. "To further facilitate this, we confirm that, in the current circumstances, we are very unlikely to take enforcement action if a firm does not apply strong customer authentication when the cumulative amount of transaction values has exceeded €150 or five contactless transactions in a row. But this is only as long as the firm sufficiently mitigates the risk of unauthorised transactions and fraud, by having the necessary fraud monitoring tools and systems in place and taking swift action where appropriate."
The FCA said it will "continue to monitor the situation" and is keeping its decisions "under review". It has urged businesses subject to the SCA requirements to contact "if they are facing difficulties".
Contact an adviser
