.svg)
Strong customer authentication (SCA) in the UK was expected to be implemented from March 14, 2022. This regulatory analysis focuses on the implementation and impact of SCA in the UK and the EU, as well as the UK Financial Conduct Authority’s (FCA) related expectations from payment service providers (PSPs).
Background
SCA was introduced in the European Union by the revised Payment Services Directive (PSD2). In Article 4, paragraph 30 of the PSD2, SCA is defined as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.
The regulatory technical standards (RTS) for SCA and common and secure communication (CSC) were issued under the PSD2. The regulation was published in the European official gazette on March 13, 2018 and applied from September 14, 2019. The standards regulate the access of account information service providers (AISPs) and payment initiation service providers (PISPs), as defined by Article 4, points 19 and 18, respectively of the PSD2, to the user payment accounts details kept by AISPs.
On October 16, 2019, the European Banking Authority (EBA) issued an opinion that provided a 15-month plan for European issuers and acquirers to migrate to SCA for e-commerce card-based payment transactions, providing a December 31, 2020 deadline to comply.
Following the UK’s exit from the European Union in January 2020, the FCA issued the Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication Instrument 2020, which replaced the EU RTS for SCA and CSC in the UK and entered into force the day after the implementation period (IP) on December 31, 2020. As stated in PS19/26: Brexit - Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication, the standards do not substantially differ from the European ones; the changes mainly reflect adaptations due to Brexit. These standards were last amended in November 2021 by Technical Standards on SCA and Common and Secure Methods of Communication (Amendment) (No. 2) Instrument 2021. Some of the changes affect cases where payment account information is accessed directly by a payment service user, as well as when through an AISP, and general obligations for access interfaces.
On May 20, 2021, the FCA announced an extension to the deadline for the implementation of SCA for e-commerce transactions in the UK to March 14, 2022.
In November 2021, UK Finance, a trade association representing more than 300 firms, published the Revised SCA Ramp Up Plan, which outlined the timelines for SCA implementation in the UK.
When should SCA be applied?
Article 97, paragraph 1 of the PSD2 provides that member states must ensure that PSPs apply SCA where the payer:
- “Accesses its payment account online.
- Initiates an electronic payment transaction.
- Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.”
The above article was transposed in the UK by Regulation 100, paragraph 1 of the Payment Services Regulations (PSRs) 2017.
SCA can be implemented via 3D Secure 2 (3DS2) or 3D Secure (3DS). 3DS2 replaces 3DS, offering a similar level of protection for users but reducing friction for users. The main difference between the two is that, as specified by 3DS2 FAQs section: “[R]ather than static passwords, 3D Secure 2 uses dynamic authentication methods such as biometrics and token-based authentication.” Where consumers forget their password and may decide to not complete a purchase, dynamic authentication methods make payment transactions smoother, increasing the number of purchases, in favour of merchants. 3DS will also be phased out in 2022, at a date yet to be confirmed. As explained by the UK government, “3DS2 requires 2 factor authentication, and will ask users for 2 out of 3 pieces of information to complete their transaction”, such as a fingerprint or a password.
FCA’s expectations
In March 2022, the FCA published its expectations in terms of SCA implementation by banks and other PSPs. Particularly, the FCA expects account servicing payment service providers (ASPSPs) to apply the exemption under Article 10A of the SCA-RTS, which allows, under certain conditions, ASPSPs not to require customer’s reauthentication every 90 days when they access their account information through a third-party provider (TPP). However, TPPs will be required to obtain explicit consent from customers at least every 90 days.
On April 5, 2022, the Open Banking Implementation Entity (OBIE) published version 3.1.10 of the OBIE Standard. The standard aims to assist European account providers in being compliant with their PSD2 and RTS requirements and has been updated to reflect the latest changes in the UK RTS.
EU
On June 11, 2021, the European Central Bank (ECB) published a report on the data provided by PSPs on their readiness to apply strong customer authentication for e-commerce card-based payment transactions. The report covers the reporting periods in 2020 and an additional reporting period in April 2021.
The data showed the following:
- “99% of EU merchants are able to support SCA;
- 94% of all payment cards in the EU are SCA-enabled;
- 82% of all PSUs are enrolled into an SCA solution;
- 92% of e-commerce card-based authentication requests reported by acquirers are compliant with the SCA requirements; and
- 87% of initiated e-commerce card-based payment transactions reported by issuers are compliant with the SCA requirements.”
In the same period, according to the report, there was a correlation between the implementation of SCA and a reduction in volume and values of fraud related to e-commerce card-based payment transactions in the EU. Specifically, there was a reduction in the values by around 50 percent (from 0.12 percent to 0.06 percent) for issuing PSPs and by about 40 percent (from 0.17 percent to 0.10 percent) for acquiring PSPs. Similar percentages were reported for volume.
On April 5, 2022, the EBA released a Final Report on amending RTS on SCA and CSC under PSD2. The report follows the consultation, launched in October 2021, on changes proposed by the EBA to address issues related to the voluntary aspects of the application of the exemption by PSPs, as provided by Article 97 of RTS for SCA and CSC, which has led to varying practices in the industry and consequent frictions to customer experience.
According to the final report, application of the RTS has shown “some ASPSPs requesting SCA every 90 days, others at shorter time intervals, while a third group of ASPSPs have not applied the exemption at all and request SCA for every account access”. The proposed amendments aim to address the issue of a customer having to perform multiple SCA processes with each account provider they hold a payment account with and at different points in time, for the purpose of aggregating them. When SCA is not applied, it limits certain uses of AIS, “such as some personal finance management services and cloud accounting services”.
The draft regulatory technical standards propose the following main changes:
- A new mandatory exemption to SCA, for the specific case when access is through an AISP specified in Article 10a of the standards, provided the following:
- Disclosure of sensitive payment data does not occur.
- SCA was applied for the first access to the payment accounts via an AISP and is applied periodically.
- Allowing PSPs to voluntarily apply the exemption under Article 10 of the RTS only when the customer accesses the account information directly.
- Extending the timeline to obtain customer reauthentication from every 90 days to every 180 days.
The draft would extend the timeline for ASPSPs to make available to AISPs the technical changes two months (previously one month) before the implementation of these changes (Article 2). The draft would also extend the overall implementation period from six months to seven months after the publication of the amending RTS in the Official Journal of the EU (Article 3, paragraph 2).
Article 10 of the UK RTS-SCA, as amended by Technical Standards on SCA and Common and Secure Methods of Communication (Amendment) (No. 2) Instrument 2021, introduces the voluntary application of the exemption by PSPs, similar to the one proposed by the EU draft regulatory technical standards (second bullet point above).
The main difference between the two provisions is that the EU draft provides as a condition that no “more than 180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1” of Article 10 and SCA was applied, while the UK RTS-SCA provides that no “more than 90 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1(b)” of Article 10 and SCA was applied.
In the EBA’s view, “compulsory exemptions would not satisfy the security and fraud objectives as PSPs would not have any flexibility in deciding to use SCA if a risk was detected even though an exemption could apply”.
What are the consequences of non-compliance and what is the cost for getting it wrong?
Article 74, paragraph 2 of the PSD2 provides that the payer bears financial losses when their PSP has not provided SCA and they have acted fraudulently. The second part of Article 74 states that “where the payee or the payment service provider of the payee fails to accept strong customer authentication, it shall refund the financial damage caused to the payer’s payment service provider”.
The above provisions have been transposed into the UK, respectively by Regulation 77, paragraphs 4c and 6 of the PSRs 2017.
Article 103 of the PSD2 provides that member states implement rules on penalties applicable to breaches of the national law transposing the directive.
Regulation 111 of the PSRs 2017 provides the FCA with powers to impose penalties on PSPs that breach any of the regulations.
Next steps
The draft amending RTS on SCA and CSC under PSD2 will be submitted to the European Commission for approval. It will then be examined by the European Parliament and the European Council before being published in the Official Journal of the European Union. The amendments to the RTS will apply seven months after their entry into force.
FCA’s key dates
The FCA “strongly encourage[s] ASPSPs to apply the SCA reauthentication exemption as soon as possible after the changes to the SCA-RTS has come into effect on March 26, 2022”, with the aim of supporting a general adoption of the exemption by September 30, 2022.
TPPs are expected to be technically prepared to reconfirm customer consent under Article 36, paragraph 6 of the SCA-RTS as soon as possible after March 26, 2022. However, the FCA stated that it will not take action before September 30, 2022 if TPPs do not re-obtain customer consent, provided that SCA is applied at least every 90 days during that period. The aim is to allow services to be provided with no disruption.
Conclusion
SCA was introduced by the PSD2 in 2018 and has been in effect for more than a year in the EU. Data presented in the EBA’s report from June 2021 shows a significant percentage decrease in fraud rates in relation to value and volume in the period up to April 2021.
The Final Report on amending RTS on SCA and CSC under PSD2 introduces a new mandatory SCA exemption and proposes an extension to timelines for implementation of technical requirements from AISPs, as well as for customer reauthentication. The aim is to reduce friction to the customer experience, as well as facilitate innovation and promote competition.
The UK transposed PSD2 while it was still a member of the EU, but following Brexit has adopted its own RTS-SCA, which are fundamentally the same as those of the EU. However, the FCA extended the deadline for SCA implementation to March 14, 2022, and therefore it is too soon to determine the effects that SCA is having in the industry. However, based on the findings in the EBA’s report on fraud rates in the EU, the implementation of SCA in the UK could potentially reduce the number of fraud-related payments.
Following the EBA’s consultation to amend the EU RTS-SCA — apart from Article 10 of the UK RTS-SCA, which allows PSPs to voluntarily apply the exemption under certain conditions and only when the customer accesses the account information directly — the UK has not proposed and/or provided the rest of the changes and has yet to indicate whether it will follow the EU and introduce further amendments. The UK could be waiting until the changes are implemented in the EU to evaluate the results before deciding to replicate. If the UK does not decide to implement the changes, however, it will be likely that PSPs operating in both the EU and UK will have to implement different SCA reauthentication procedures across the two regions, potentially making the process more complicated and time consuming.
