Extra time awarded by FCA for Strong Customer Authentication and for screen scraping payment accounts under PSD2 Open Banking

On 2 September 2019, the UK Financial Conduct Authority (FCA) published a statement on its website confirming that extra time (namely 18 months) is being given to card issuers and acquirers to implement the Strong Customer Authentication (SCA) rules as set in the UK Payment Services Regulations 2017 (PSRs) and related EU standards in certain areas (see here). 

The FCA also announced that, although a new technical regime for how AISPs and PISPs (together TPPs) are accessing payments accounts is due to come into effect on 14 September 2019 replacing the screen scraping that most TPPs use today, the FCA is requiring that some ASPSPs continue to allow the screen scraping of their payment accounts for an additional 6 months (i.e. until 14 March 2020). 

We address both topics in turn.

1. SCA – e-commerce card transactions 

Pursuant to PSD2, as implemented within the PSRs, issuers and acquirers have to ensure that the card issuer performs an SCA of the cardholder when it is initiating a payment, including when it is initiating an e-commerce transaction with its card – unless one of the exemptions contained in the SCA Regulatory Technical Standards (RTS) is applicable.  The deadline for compliance is 14 September 2019. 

However, the industry across the EU has been arguing that the 14 September 2019 deadline is too aggressive and have requested more time. 

On 21 June 2019, the EBA published an Opinion empowering national competent authorities (NCAs), on an exceptional basis, to provide limited additional time to allow issuers and acquirers to migrate to authentication approaches compliant with SCA (see here).

On 13 August 2019, the FCA already announced that it had agreed on an 18-month adjustment period for issuers and acquirers to implement SCA for e-commerce transactions (see here https://www.fca.org.uk/news/press-releases/fca-agrees-plan-phased-implementation-strong-customer-authentication); and since then a number of other NCAs have published similar statements announcing that they would grant more time to issuers and acquirers to comply with SCA (see previous Bird & Bird client alerts on Denmark here, Italy here, Poland here, Germany here - for France, see here). 

On 20 August 2019, the FCA also sent a "Dear CEO" letter to UK issuers and acquirers (see here) stating that UK Finance have worked on an industry plan to implement SCA for card-based e-commerce transactions. In order to support the orderly transition to SCA and avoid a negative impact on consumers and merchants, the FCA will not take enforcement action against issuers and acquirers if they are not SCA compliant from 14 September 2019 in the areas covered by the UK Finance industry plan.

On 2 September 2019, the FCA confirmed that it "will not take enforcement action against firms simply for not meeting the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan".

The UK Finance "agreed plan" that the FCA is referring to provides for an 18-month managed rollout in 4 steps (see here):

1. 1 February 2020 - for issuers to begin to step up transactions using both risk based authentication (RBA) and OTP where available;

2. 14 March 2020 - for merchants to actively test versions 2.1 and 2.2 of 3D Secure authentication (3DS);

3. 14 September 2020 - for products to be rolled out on a mass scale (with necessary extra time for smaller merchants to implement the solutions);

4. 14 March 2021 - for active supervision to begin. The FCA confirms that after this date, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action as appropriate.

In addition, UK Finance announces that it is setting up a Programme Management Office (PMO) (that would have apparently already started to work since mid-August 2019) whose goal is to provide industry details on how to report progress as well as more detailed metrics for measurement on an industry basis. Also, the PMO will aim at providing clarity on a number of unanswered issues which need to be resolved for the industry to move forward (e.g. dynamic linking and online grocery shopping).

In conclusion, the FCA advises issuers and acquirers involved in card-not-present transactions not to act outside the agreed industry delivery plan and to continue to work together with the FCA over the next 18 months to ensure the smooth and timely implementation of SCA by 14 March 2021.

The FCA highlights in its announcement that issuers "need to provide several different methods of authentication for [their] customers. This includes methods that do not rely on mobile phones to cater for consumers who will not have or are unable to use a mobile phone". 

It is worth noting that, in parallel to the various NCAs announcing "regulatory holidays" for their national PSPs (in particular for issuers and acquirers in relation to e-commerce transactions), the EBA is expected to issue another Opinion in the not-too-distance future that is meant to harmonise the adjustment periods that the various NCAs are granting to their national PSPs (e.g. France has so far announced a migration plan until June 2022, i.e. longer than the 18 months granted in the UK). Query what will happen to those NCA announcements if the EBA's Opinion will recommend a shorter adjustment period: will the various NCAs reduce the duration of the adjustment periods, or will they leave them unchanged? To be continued…

2. Open Banking – screen scraping allowed for an addition 6 months

Under PSD2, as implemented under the PSRs, ASPSPs need to give access to TPPs to payment accounts that are available online so that TPPs can offer AIS and PIS services to customers. 

To date, most TPPs were screen scraping payments accounts (although some TPPs were using another technology called reverse engineering).

As from 14 September 2019, ASPSPs need to offer access to payments accounts either through: 

- a dedicated interface (typically referred to as an API). In which case the ASPSP also needs to make a fallback available to the TPP in case the API "does not perform in compliance with [the RTS], that there is unplanned unavailability of the interface and that there is a systems breakdown", unless the ASPSP is exempted by its NCA from the requirement to offer a fallback; or 

- through the interface made available by the ASPSP to the user, but adapted in order to allow for the identification of the TPP (what the FCA referred to as a "modified customer interface" or MCI). This is sometimes referred to as "screen scraping plus", i.e. screen scraping of the payment account, but with a mechanism to allow for the identification of the TPP, namely an e-IDAS certificate.

Therefore, under PSD2 and the RTS, from 14 September 2019 screen scraping as we know it today (where the ASPSP is not able to identify the TPP) should no longer be tolerated. 

However, in its publication, the FCA confirmed that if an ASPSP:

1. is providing access to TPPs through an API (as opposed to the MCI) and 

2. did not have all payment accounts accessible to TPPs in the production API (i.e. containing real user data) on or before 14 June 2019, 

that ASPSP should continue to allow TPPs to screen scrape the payment accounts during the period between 14 September 2019 and 14 March 2020 (i.e. 6 months). "This means not applying SCA to access accounts online during this period", despite the fact that PSRs do require the ASPSP to SCA the user when it accesses its payment account online. 

The FCA also confirms that, after 14 March 2020, the PSD2 and RTS regime on how to access payment accounts will become fully applicable, and therefore failure to comply with the requirements will be subject to full FCA supervisory and enforcement action as appropriate.

The FCA announcement also contains a few additional statements – for example: 

- If, during the 6-month adjustment period, an ASPSP is granting access to TPPs via the MCI (rather than an API), the FCA indicates that the ASPSP may choose (i.e. optional) not to apply SCA (despite the fact, again, that as from 14 September 2019 an ASPSP is in principle required to SCA the user when accessing its payment account online).   

- During the 6-month adjustment period, all ASPSPs are "encouraged to allow TPPs that do not yet have an …  eIDAS … certificate and are accessing accounts via APIs, to use an equivalent certificate enabling secure identification (for instance an Open Banking certificate)".

- Both during the 6-month adjustment period and after that period, all ASPSPs are encouraged to make use of the (optional) 90-day SCA exemption contained in Article 10 of the RTS – i.e. to only request the user accessing its payment accounts to SCA every 90 days, rather than every time it accesses its payment accounts.

Should you have any questions concerning the above, please do not hesitate to contact one of the members of the Bird & Bird global payments team.