Out-Law News | 06 Sep 2019 | 8:04 am | 4 min. read
A complete ban on the use of screen scraping by third party payment service providers for the purpose of accessing payments account data held by banks and other payment account-holding providers was due to kick in on 14 September. However, the FCA has now agreed to apply an "adjustment period" up to 14 March 2020 during which screen scraping will be able to continue in some circumstances in the UK's online banking market.
The FCA's move comes amidst industry efforts to comply with new 'strong customer authentication' (SCA) regulatory technical standards. Those standards were drawn up under the EU's second Payment Services Directive (PSD2) and aim to make sure that banks and other payment services providers know that the person requesting access to an account or trying to make a payment is either the customer or someone who has their consent. They are intended to enhance the security of payments and limit fraud.
"We are concerned that some third-party providers (TPPs) may not be able to continue providing their services after 14 September 2019," the FCA said. "This is because TPPs have not always been able to use and migrate their customers to new or modified interfaces, and the implementation of SCA will prevent TPPs from accessing account data without the customer being present. This could cause significant disruption for customers of open banking services provided by TPPs."
"To avoid disruption to consumers and TPPs we have agreed an adjustment period. Therefore, in certain circumstances, firms have until 14 March 2020 to implement SCA for online banking," it said.
In a new statement published on its website on SCA, the FCA provided more detail on the scope of the adjustment period and its expectations of banks and other payment account-holding providers.
It said: "Account servicing payment service providers (ASPSPs) are required to have a PSD2-compliant way to provide TPPs with access to account data and payment functionality by 14 September 2019. This is either by a dedicated interface based on application programming interface standards (APIs) or a modified customer interface (MCI). This remains the case. However, where an ASPSP is providing access to TPPs through APIs, and did not have all payment accounts accessible by APIs on or before 14 June 2019, it should keep existing screen-scraping channels available during the adjustment period. This means not applying SCA to access accounts online during this period."
"Where an ASPSP is providing or intends to provide access to TPPs through an MCI, it may choose not to apply SCA during the adjustment period. Where possible, these firms are encouraged to use this additional time to adjust the MCI so it can support ongoing 90-day access without the customer re-authenticating with SCA," it said.
A loosening of the rules on how third parties should identify themselves to ASPSPs during the adjustment period was also backed by the FCA. The regulator's comments concern the interaction between the SCA rules and other EU laws on electronic identification (e-ID).
"During the adjustment period, ASPSPs are encouraged to allow TPPs that do not yet have an electronic identification, authentication and trust services (eIDAS) certificate and are accessing accounts via APIs, to use an equivalent certificate enabling secure identification (for instance an Open Banking certificate)," the FCA said. "All ASPSPs should tell TPPs which certificates they will accept during the adjustment period."
The FCA acknowledged that some TPPs may be unable to use an eIDAS certificate or equivalent "when accessing accounts via existing screen-scraping channels". It said those providers should nevertheless, though, "continue to be transparent and open about their identities".
Last month, the FCA confirmed its plans to delay its enforcement of the SCA standards in the context of card-not-present transactions in the e-commerce market for a period of 18 months. Its delay in enforcing the rules will only apply if businesses in the market make active attempts to comply the new requirements over the period in line with an implementation plan drawn up by industry that it has endorsed.
In its latest update, the FCA reiterated that view but also further explained that the solutions that banks and other ASPSPs develop to comply with the SCA requirements must "work for all groups of customers", and not just those with access to a mobile phone. For example, some SCA solutions envisage sending one-time passcodes to customers' mobile devices for them to verify payments.
The FCA said: "You may need to provide several different methods of authentication for your customers. This includes methods that do not rely on mobile phones to cater for consumers who will not have or are unable to use a mobile phone. If this is not the case, or where firms are facing difficulties, we expect them to discuss this with us as priority."
Payments law expert Andrew Barber of Pinsent Masons, the law firm behind Out-Law, said: "The further information provided by the FCA on the transitional arrangements for strong customer authentication is going to be welcomed by payment services providers. The proposals appear to be striking a reasonable balance for e-commerce businesses, who would otherwise find their ability to conduct sales severally compromised."
"Given how near to the original compliance deadline these arrangements have been finalised, the FCA and regulators across Europe may be reflecting on the scale of the task presented to them and the industry by PSD2. The SCA standards have clearly proved difficult to implement through the development of novel IT protocols. Businesses should now be following the transitional arrangements and ensuring that they comply with them rather than treating announcements as simply a delay to taking any action," he said.
14 Aug 2019
12 Dec 2018