Let’s talk about Strong Customer Authentication: CP21/3

In this fourth blog in our series on the FCA’s CP21/3 consultation, Greg James looks at the proposed changes to strong customer authentication (SCA); one of the most contentious regulatory developments introduced by the second Payment Services Directive (PSD2).

The FCA has made a clear effort to alleviate some of the strain on the customer journey, however with new guidance inevitably comes new questions. We have broken down the changes into those that will generate the most conversation and those that are simply explicit confirmations in existing guidance.


Conversation-starters!

Dynamic linking

Dynamic linking has been a consistent spectre over the industry, not only due to technical requirements, but its effect on e-commerce transactions where the final price is not known at the point of authorisation. Due to the requirements of dynamic linking, the customer should only be authenticating the exact cost of the transaction, and if that amount were to change, the payment service provider (PSP) should request reauthentication. This is far from an ideal customer journey, and as such aspects of the market have been pushing back against the requirement, such as the travel industry.


FCA’s proposal of 20% increase on the approved price

The FCA has proposed to allow an increase of 20% on the approved price without further authentication. Apart from the fact that the quoted 20% is seemingly an arbitrary number, picked from thin air, it is welcome flexibility on the rules.


The caveats of the amendment

This amendment is not without its caveats and businesses are expected to make customers aware that the price can increase, receiving the customer’s agreement for any reasonable increase up to 20%. The FCA has not provided guidance on who is responsible for this, however it seems reasonable that this is the merchant acquirer’s role and they may outsource to the merchant in question. We are in the process of seeking clarification from the FCA on which entity is responsible for this disclosure and whether it can be outsourced to the merchant.


Corporate exemption

The FCA explicitly confirms that it wishes to accept the EBA’s opinion that corporate cards are acceptable under the corporate exemption, providing those cards are only available to corporate customers and not consumers. This is a sensible approach, however it does raise questions when balanced against a recent determination by the EBA, that the corporate exemption is purely for the payment stage and not the account information stage. The EBA’s decision seems to have misread the market that is utilising the corporate exemption, as account information and payment initiation would typically be a standard package and utterly key to the service offering. It raises further questions on the previous decision around corporate cards, as you can see account balance through ATMs and sometimes online portals, so payment service providers (PSPs) would have to apply controls to stop ATM transactions and remove this functionality.

The position of the FCA here is one that is very unlikely to get market push back, however it goes to highlight the recent determination by the EBA, which should receive market push back. We are encouraging the FCA not to follow the logic applied by the EBA.


Merchant-initiated transaction

The FCA is clarifying that payments initiated solely by the payee rather than the payer are not subject to SCA. In other words, pull transactions are outside of the scope of SCA, providing the payer is not required to take action.

However, when the payer needs to take action or the payment method implies an affirmative action, then SCA should be required – for instance recurring card payments. The payer will effectively be utilising the recurring transaction exemption for this payment flow, applying SCA at the first payment and all subsequent payments will not require further SCA.

Interestingly, this creates a question of whether the FCA would allow, in the circumstance of a recurring payment price increase (such as in subscription services), continued usage of the exemption without further authentication and instead rely on a similar 20% grace as suggested for dynamic linking. Strictly speaking, the merchant should reauthenticate in this instance and the 20% grace proposed for dynamic linking wouldn’t apply as no dynamic linking would be involved with the subsequent payments – the PSP would have to rely on another exemption in this case. We are in the process of seeking clarification from the FCA whether the 20% grace could be applied to a subscription model.


Authentication code

The FCA proposes to affirm the EBA’s position that an element can be ‘reused’ from the log in stage and reapplied at the payment creation stage – meaning only one element is requested at the payment stage (discussed further here). It should be noted that the current FCA guidance is only in relation to payments and is not explicitly extended to exemptions. However, as the FCA is stating that it agrees with the EBA’s reasoning, this should be applied to exemptions; this is due to the fact that the EBA’s rationale is based on elements not having time limits or expiration times thereby allowing reuse, as such this logic should carry on to exemptions. We are currently seeking confirmation from the FCA on whether it considers this logic sound and therefore will clarify the guidance.

 


Confirmations

Liability for fraudulent transactions

A common theme for this consultation is the FCA’s explicit acceptance of previously issued guidance from the EBA and the European Commission (EC), rather than newly offered guidance, fraudulent transaction liability is one of these. The FCA has agreed with the position of the EC that, in the situation a payee PSP has activated an exemption, then the payee PSP is liable in the instance of fraud. This confirms industry practice and cements the principle that it is not always the payer’s PSP that is accountable, but the PSP that chooses to apply an exemption.


SCA elements

There is still confusion in the market around what constitutes a valid element for the purposes of SCA. The FCA has explicitly accepted the EBA’s interpretation on possession and inherence elements. A possession element can only be considered valid if there is a reliable means of confirming the possession, in other words, a dynamic aspect such as a one-time-passcode (OTP). Additionally, the FCA confirmed the EBA’s position that behavioural biometrics would be considered an inherence element. It should be noted that behavioural biometrics are not commonly used in the market and this aspect will require a bit of fleshing out to determine the level of quality required to be compliant in this area.


Transaction risk analysis

A clarification by the FCA that will have an effect on not just SCA but reporting fraud under the REP017. The fraud rate calculations required under Article 18 of the RTS are only in relation to fraudulent remote electronic transactions for which the PSP is liable. The REP017 however requires all types of fraud, regardless of SCA or whether the reporting PSP is liable. This confirms the fact that PSPs should not simply calculate their Article 18 compliance simply with the REP017, as this will present false figures.


Conclusion

Although many of the changes proposed by the FCA are explicit confirmations on already public guidance, there are nuggets of information most of which are generally positive for the market and will help in not discouraging e-commerce. We have not called for material changes to the guidance, however the call for clarification is essential for the industry as a whole to continue developing their SCA controls.

SCA and the exemptions are complicated: if you would like to discuss how they apply in your business model, please do not hesitate to get in touch with my colleagues or me.

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.

Related Posts