Strong Customer Authentication, Fraud and the Coronavirus Crisis: New UK FCA guidance to firms
Written By
The Financial Conduct Authority (FCA) in the UK has published a series of updates on COVID-19 over recent days and weeks. On 31 March 2020, the FCA updated its guidance to firms on Strong Customer Authentication (SCA) in light of the possible disruption to the implementation of SCA and the high risk of fraud during the Coronavirus (COVID-19) crisis.
Following an extension of the deadline implementation by the FCA, SCA rules have generally applied in the UK since 14 September 2019 although further extensions had already been granted in respect of online banking and card transactions until respectively 14 March 2020 and 14 March 2021. The SCA rules derive from the Payment Service Regulations 2017 (PSRs), which is the UK implementation of the second Payment Services Directive (PSD2). Under the PSRs, firms must apply SCA when a customer initiates an electronic payment, accesses their online payment account, or undertakes any other action which implies a risk of fraud.
In its guidance on SCA, updated for the COVID-19 Crisis, the FCA has set out the following guidance:
SCA for Online Banking
The FCA will show forbearance on a case-by-case basis for firms which have yet to fully implement SCA in online banking. The FCA will take into account a firm's current security measures on customer online access and payments, processes in place to reduce and protect customers from fraud, and the impact of the current circumstances on a firm’s ability to implement SCA for online banking.
Implementing the SCA rules to online banking had an adjustment period ending on 14 March 2020 - just as COVID-19 was beginning to affect business – and some firms have yet to finalise the appropriate technical changes to their platforms including certification processes.
SCA for Contactless Payments
Due to the decreased risk of virus transmission associated with contactless payments, the FCA has stated that, during the COVID-19 crisis, it is unlikely to take enforcement action against firms which fail to apply SCA for contactless payments, as long as firms have the necessary fraud monitoring tools and systems in place and take swift action where appropriate.
Ordinarily, firms must apply SCA to contactless transactions when:
- the cumulative value of transactions since the last application of SCA exceeds €150, or
- five contactless transactions are made in a row.
SCA for e-Commerce
The FCA will engage with industry stakeholders to see whether changes to the implementation timelines are necessary. E-commerce card transactions in the UK were subject to an adjustment period of 31 March 2021, and it appears that further delays in implementation are now possible.
The FCA has asked that firms to contact them as soon as possible if they are facing difficulties with implementing SCA according to the required deadlines.
This recent update to the FCA's SCA guidance page demonstrates the FCA’s alert and responsive approach to the impact of the COVID-19 crisis on firms currently applying or working to apply SCA, and that the current crisis may impact firms implementing SCA. Indeed, as the situation unfolds, we expect to see regular updates on the application of SCA rules and further developments to the SCA implementation timeline from the FCA.
Should you have any questions about the above, please do not hesitate to contact one of the members of the Bird & Bird global payments team.
If you would like to receive our regular Payments alerts in your inbox, click here.
If you would like to read Bird & Bird's previous alerts, please check out our Payments In Focus webpage here.
Last reviewed: 07 April 2020
