FCA’s deadline for SCA implementation for e-commerce transactions expires

15 Mar 2022

Yesterday, 14 March marked the new deadline set by the Financial Conduct Authority (FCA) for the implementation of Strong Customer Authentication (SCA) for e-commerce transactions. 

To minimise disruption to merchants and consumers and to give firms extra time to implement these rules for card-based e-commerce transactions in response to concerns about industry readiness in light of the coronavirus crisis, the UK regulator extended the previous deadline of 12 September 2021 by six months. 

SCA is a set of rules, introduced in September 2014, which required banks and other payment services providers to check that the person requesting access to an account or trying to make a payment is permitted to do so. The rules were intended to enhance the security of payments and limit fraud during the authentication process. 

Initiatives like SCA, which are making payments more secure for consumers, have been welcomed by the industry. 

Nick Raper, Director of UK at Nuapay, said: “This regulation is fundamentally transforming how merchants and banks conduct payments.  

“With levels of online fraud increasing over the course of the pandemic, adding extra layers of security to protect businesses and consumers, can only be welcomed. Without implementing appropriate security measures, we’ll see consumers begin to lose faith in online payments.”  

Raper also noted that Open Banking payments, which are SCA compliant by nature, are an obvious solution, as they do not require a customer to share their card details with the merchant. A shift in the industry towards Open Banking payments would not only make businesses transition to SCA compliance far easier, but it would also see payments fraud decrease.  

Raper said: “The industry needs to stop talking about security and look to options already available such as Open Banking payments to ensure that the consumer impact is minimised and merchants are given the tools they need to remain compliant.” 

Earlier this month, the UK’s Open Banking Implementation Entity (OBIE) has stated it supports the FCA’s decision to update its guidance on SCA to extend the deadline for adoption of the exemption. 

The UK regulator announced a change to the 90-day re-authentication rule in November 2021, meaning that customers will no longer need to re-authenticate when they access their account information through a third-party provider (TPP). 

Instead, the FCA said “TPPs will be required to obtain explicit consent from customers at least every 90 days”. 

Ghela Boskovich, head of Europe at the Financial Data and Technology Association (FDATA), says that “getting the authorities to acknowledge that the 90-day re-authentication requirement actually hindered the end-consumer’s ability to stay connected to services, move their data and their money, and leverage innovative services and products to maximise the economic value of their money” was crucial.  

In the latest update to its guidance in March 2022, the FCA said that while the regulatory change will still come into force on 26 March this year, ASPSPs will be required to apply the exemption as soon as possible after that date, “with a view to the widespread adoption of the exemption by 30 September 2022”.