UK delay to PSD2 authentication enforcement confirmed

Out-Law News | 14 Aug 2019 | 1:17 pm | 3 min. read

Online retailers active in the UK have been given up to 18 months to update their payment systems and processes to comply with new customer authentication requirements.

The Financial Conduct Authority (FCA) announced on Tuesday that it had reached an agreement with payment card issues, payment providers and online retailers in relation to its enforcement of the 'strong customer authentication' (SCA) standards, drawn up under the EU's second Payment Services Directive (PSD2).

The agreement provides scope for businesses in the e-commerce market to work towards compliance with the SCA over a period that could last up until 14 March 2021 without the fear of punishment from the regulator for non-compliance with the new standards.

"The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan," the FCA said. "At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA."

"The FCA will also continue to monitor the extent to which banks and payment service providers are meeting its expectation that they consider the impact of SCA on different groups of consumers, and provide alternative means of authentication where needed," it said.

The SCA standards are hard-wired into EU legislation and are due to take effect from 14 September. The standards aim to make sure that banks or payment services providers know that the person requesting access to an account or trying to make a payment is either the customer or someone who has their consent. They are intended to enhance the security of payments and limit fraud.

"In addition to their application to e-commerce, the SCA standards will also have an impact on consumers shopping in-store", said technology and payments regulation specialist Angus McFadyen of Pinsent Masons, the law firm behind Out-Law. "For contactless payments, consumers will be asked to enter their pin number to confirm transactions in cases where they use contactless five times or hit a value limit – it will take a little while to get used to this and it will slow down the checkout process but it should help when payment cards are stolen and can no longer be used for a limitless number of contactless transactions."

The European Banking Authority (EBA) gave scope to national regulators to apply an enforcement holiday in certain circumstances to give businesses more time to update their systems and processes. That concession came after concerns were raised about the lack of preparedness for the forthcoming standards within the market.

Research commissioned by Stripe published earlier this year suggested that up to €57 billion of sales are at risk in the first year that the SCA rules apply. Other industry figures have predicted as many as 25 or 30% of e-commerce transactions could be declined in the immediate aftermath of the switch to SCA.   

The FCA announced that it was working with industry to agree on a delay to enforcement of the SCA rules, and it has now finalised its approach. The Central Bank of Ireland also recently confirmed that it will apply "a limited migration period" in respect of SCA compliance, although it has yet to confirm how long it will delay taking enforcement action for. The Irish authority said it was keen for a "harmonised approach" to the issue to be agreed across the EU.

"The FCA’s decision to ease the mid-September deadline is welcome news to the e-commerce industry," said payments law expert Lauren McCarthy of Pinsent Masons. "Although there has been some time to prepare, building and implementing the infrastructure that supports strong customer authentication has been an immense task for the payment service providers – calling for time as well as money to be injected into the projects. The FCA has rightly acknowledged that launching these new processes before the systems are ready would result in disruption to many businesses as well as consumers who may not be aware why their payments can’t be processed."

Jonathan Davidson, executive director for supervision, retail and authorisations, at the FCA, said: "The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction."

Trade body UK Finance welcomed the FCA's announcement and provided guidance to firms on the actions they should take.

Eric Leenders, managing director of personal finance at UK Finance, said: "Today’s FCA plan, which supports our proposals for a managed rollout, will help the industry ensure a timely migration to SCA and result in the best outcomes for consumers while effectively balancing both convenience and security. The banking and finance industry has worked closely with the FCA, retailer groups and other stakeholders to deliver these required changes in a way that minimises any disruption for consumers and businesses. We want to ensure that the convenience of making an online payment is balanced with these increased security standards."

Leenders said that payment service providers could use text messages, phone calls, banking apps or card readers to verify the identity of customers as they seek to comply with the SCA standards. He said other methods of identify authentication are being developed, including biometric technologies, and that these methods "will make it even easier to shop more safely online in the future".