Strong customer authentication (SCA) is a valid attempt by the EU to curb electronic payment fraud, including ‘card-not-present’ fraud. From a glance the concept is fairly simple, it will be a regulatory obligation to apply two factor authentication (2FA) to the electronic payment process. However, it’s not all quite as simple as that as SCA has more requirements than just the frequently touted 2FA. This blog will provide the basics on SCA and subsequent blogs will go into more detail on the exemptions and how SCA differs from simple 2FA.
Does my payment services business have to apply strong customer authentication?
SCA is a requirement under the second Payment Services Directive (PSD2) and it applies to all types of payment services providers (PSP) – that is banks, e-money institutions, payment institutions and account information service providers – depending on the functionality they provide their customers. Specifically, the PSPs that should pay attention are those that allow their payment service users to:
- access payment accounts online (whether directly or through an account information service provider);
- initiate an electronic payment transaction; or
- carry out any remote action that may imply a risk of payment fraud.
For those that provide a ‘phone banking’ service or who receive paper instructions to set up direct debits, the good news is that these actions have been ruled out of scope of the obligation by the European Banking Authority (the EBA), who was tasked with drafting the Regulatory Technical Standard (RTS), and, in turn, the FCA. Payment instructions received by email aren’t specifically mentioned but ‘mail order’, which was referred to by the EBA and FCA, is probably close enough to be regarded as the same thing and therefore also out of scope. However, in the spirit of the overall objective of reducing payment fraud and mindful of the onerous refund obligations in the event of unauthorised payments, PSPs should have suitable fraud protections in place.
When do I have to apply SCA?
SCA has to be applied both when accessing payment account information and when initiating a payment transaction meaning that a customer checking their account and then paying a couple of bills would have to go through SCA multiple times in one session, which is far from ideal on the user-experience scale. To avoid this, you will have to apply one of the exemptions.
What are the exemptions?
There are nine sets of circumstances in which the customer does not have to go through SCA. They are listed in brief below and will be explored in more depth in a subsequent blog.
- Where the account data is limited and SCA has been applied within a specified timeframe.
- Contactless payments under a low threshold and as long as SCA has been applied within a specified timeframe/number of transactions.
- Unattended terminals for transport and parking fees.
- Payments to beneficiaries that are trusted.
- Recurring transactions that have previously been authenticated.
- Credit transfers between accounts held by the same natural/legal person with the same entity.
- Low-value transactions as long as SCA has been applied within a specified timeframe/number of transactions.
- Payments for corporates where the process has been approved by the FCA.
- Where the transaction type has been proven to be at a low risk of fraud and this is constantly monitored.
Do we have to use the exemptions?
No, the legislation is worded in such a way that means that you can choose not to avail of the exemption but, given the impact on the user-experience, we expect PSPs will look to avail of the exemptions wherever possible.
When do I have to have SCA operational?
SCA has to be operational by the 14 September 2019 at the latest, which is the date that the RTS comes into effect.
How will the FCA monitor SCA?
As normal, the FCA will assume that PSPs are meeting their obligations unless they are given reason to believe otherwise. A suspicion that a PSP is not compliant could arise from information received during the FCA’s normal supervisory work or directly from a customer, competitor or whistleblower.
The FCA will analyse the payments fraud reporting return (REP017) and the operational and security risk reporting return (REP018) to identify outliers or unusual information that may suggest non-compliance. PSPs that wish to avail of two particular exemptions, the corporate exemption and the low fraud risk exemption (8 and 9 above) will have to evidence in their reporting returns that they meet the criteria. The complaints handling data reported annually and information shared by the Financial Ombudsman Service if a systemic problem is identified could also lead to further investigation.
Where do I find the rules and the FCA’s guidance?
The obligation to apply strong customer authentication is to be found at regulation 101 of the PSRs. The detail of what has to be in place can be found in the RTS. The FCA’s guidance can be found in chapter 20 of the approach document and the EBA’s response to the responses received in their consultation can be found here.
If you require any advice or guidance on SCA and how it relates to your business, please do not hesitate to contact me, or any of the team at fscom.