The FCA consults on changes to Strong Customer Authentication (SCA) rules, SCA transaction thresholds for contactless payments and its guidance on payment services and electronic money

By Gavin Punia, Trystan Tether, Shane Barber, Scott McInnes, Michelle Chan, Ivan Sagál, Annette Printz Nielsen, Kristiina Lehvilä, Cathie-Rosalie Joly, Dr. Michael Jünemann, Konrad Siegler, Stefano Febbi, Slawomir Szepietowski, Kim Kit Ow, Adrian Calvo, Gregory Man, Hans Svensson

02-2021

On 28 January 2020, the FCA published a consultation paper CP21/3 (Consultation Paper) setting out proposed changes to the SCA-RTS, the guidance in the FCA’s approach document (Approach Document) and the Perimeter Guidance Manual (PERG). This consultation follows the FCA identifying the payments sector as a priority for the next 3 years in its 2020-2021 Business Plan.

The FCA has asked for comments relating to contactless payments by 24 February 2021. Comments on all other questions are be provided by 30 April 2021.

SCA – access to account information

The FCA is adding a new exemption from SCA for when customers access their account information with their bank, payment institution (PI) or e-money institution (EMI) (an ASPSP) through a regulated Third Party Provider (TPP) such as an account information service provider (AISP). The existing requirement to re-apply SCA every 90 days has proven burdensome for customers, creating friction in the user experience, and hindering uptake of open banking services. The negative impact is increased for those customers holding multiple accounts with different ASPSPs who are required to complete SCA every 90 days with each ASPSP they want a TPP to have access to.

Therefore, the FCA is proposing to create a new exemption so that ASPSPs do not need to require their customers to apply SCA every 90 days when the customer uses a TPP to provide account information services. SCA will, however, be required when customers first decide to connect their account to a TPP service. The FCA also proposes to introduce new requirements where a TPP accesses account information where the customer does not actively request the account information. Currently, a TPP is permitted to do this up to four times a day. Where a TPP continues to access data in this way, it is proposed that the TPP will need to reconfirm the customer’s explicit consent every 90 days. If a customer fails to re-confirm their consent, the TPP will be required to disconnect access and stop collecting data from the customer’s ASPSP.

ASPSPs can continue to deny a TPP access to a customer account for reasonably justified and duly evidenced reasons relating to unauthorised or fraudulent access.

SCA – mandatory use of dedicated interfaces for current accounts and credit card accounts

The SCA-RTS currently requires ASPSPs to establish interfaces through which TPPs can access customer payment accounts in a secure manner. ASPSPs have the option to enable access via a dedicated interface or a modified customer interface (MCI) under Article 31 of the SCA RTS. An MCI typically provides access to TPPs via existing customer interfaces operated by the relevant ASPSP (such as online banking or e-money account platforms). Whilst ASPSPs that have opted for a dedicated interface typically do so by using an API which TPPs can access or connect to.

In practice, the FCA has found that the existing use of MCIs by ASPSPs has proven challenging for TPPs, and therefore affected the customer experience. Many TPPs face difficulties when accessing customers’ payment accounts via MCIs, as they do not have the technology to connect. The few TPPs that have the technology must make considerable adjustments to their systems to be able to access each account provider’s individual MCI. Typically, they cannot access customer payment accounts without the customer being present, as most firms with an MCI do not rely on an exemption to the SCA requirement, so SCA is required.

Therefore, the FCA is mandating the use of dedicated interfaces by ASPSPs to facilitate TPP access to payment accounts which fall within the Payment Account Regulations 2015 such as personal and SME ‘current accounts’ and credit card accounts held by consumers or SMEs. The FCA recognises that this will require tech build by ASPSPs and so they will have up to 18 months to implement this change from when the final guidance is published.

SCA – availability of testing facilities and fallback mechanisms by ASPSPs

A change is being proposed in relation to the requirements for ASPSPs in relation to publishing interface technical specifications, availability of testing facilities and fallback mechanisms. The FCA proposes to require that the technical specifications and testing facility only be made available to TPPs from the launch of new products and services, rather than 6 months in advance.

The FCA also proposes that the requirement for a fallback interface should only take effect six months after launch of the service. This would allow ASPSPs time to develop such an interface or request an exemption to the requirement to have one. ASPSPs with deemed authorisation under UK Temporary Permissions Regime (TPR) are exempt from the requirement to set up a fallback interface if the ASPSP has an exemption from its home state competent authority.

Contactless payments

The single and cumulative transaction thresholds for contactless payments are being proposed to increase from £45 up to £100 (or potentially a maximum of £120) and from £130 to £200 respectively.

Contactless payments up to the value of £45 per transaction are currently exempt from the requirements for SCA where the conditions in Article 11 of the SCA-RTS are satisfied. Also, contactless payments must be subjected to SCA whenever the cumulative transaction value threshold of £130 has been reached, or after 5 contactless transactions have been made in a row without SCA being applied.

In response to the coronavirus pandemic, card issuers have been relying on the forbearance period introduced by the FCA who stated that it was very unlikely to take enforcement action where a firm failed to apply SCA when a customer exceeded the cumulative transaction value threshold under Article 11 - provided that the firm has sufficient controls in place to mitigate the risk of unauthorised transactions and fraud. The FCA is interested in identifying risks and benefits to formally changing the regulatory single and cumulative transaction thresholds.

Safeguarding and prudential risk management guidance

On 9 July 2020, the FCA published its temporary guidance on safeguarding, prudential risk measures and wind down plans, taking into account the feedback received during its June 2020 consultation. The FCA is now proposing to make this temporary guidance permanent and incorporate in its Approach Document. This consultation period gives firms an opportunity to comment on the effect of adopting these measures on a permanent basis.

SAR regime for EMIs and PIs

On 3 December 2020, HMT consulted on a special administration regime for PIs and EMIs (SAR Consultation). Subject to the outcome of the SAR Consultation, the new SAR regime is expected to come into force later this year. HMT also consulted on extending certain powers of the FCA in Part 24 of the Financial Services and Markets Act 2000 (FSMA) to PIs and EMIs. The extension of these provisions would provide the FCA with powers to participate in an insolvency process of an FCA authorised or registered PI or EMI. The scope of the proposed application of Part 24 FSMA powers would be to all PIs and EMIs entering the standard insolvency process. Once it becomes clear what changes HMT intend to make, the FCA will consider whether it will need to make consequential amendments to the Approach Document.

Extension of BCOBS and Principles for Businesses

Since August 2020, the FCA’s Principles for Businesses have applied to PIs and EMIs. The FCA also extended the application of certain communication rules and guidance in the Banking Conduct of Business Sourcebook (BCOBS) to communications with payment service and e-money customers and made new rules and gave guidance on the communication and marketing of currency transfer services. The FCA is proposing to update the Approach Document to reflect these changes.

Proposed changes to PERG

The FCA has identified a lack of clarity in the industry on the types of products and services within scope of the criteria for exclusion under the limited network exemption under paragraph 2(k), part 2 of Schedule 1 of the Payment Services Regulations 2017 (PSRs) (LNE) and the electronic communication exemption under paragraph 2(l), part 2 of Schedule 1 of the PSRs (ECE).

The FCA proposes to amend PERG 15 to provide additional guidance on the types of products that may benefit from the LNE. The FCA also proposes to amend PERG 15 to give guidance on its expectations of firms that benefit from the ECE. The specific changes are set out in appendix 2 of the Consultation Paper.

Consultation period

As mentioned above, the FCA has asked for comments relating to contactless payments by 24 February 2021. Comments on all other questions are be provided by 30 April 2021.

If you require further information or have any further questions, please contact our payments team.

If you would like to receive our regular Payments alerts in your inbox, click here.

If you would like to read Bird & Bird's previous alerts, please check out our Payments InFocus webpage here.

 

Authors