The Financial Conduct Authority has agreed a plan to allow the payments and e-commerce industry extra time to implement Strong Customer Authentication.
From 14 September 2019, new EU rules under the Payment Services Directive 2015/2366/EU will start to apply. The Directive requires providers to implement Strong Customer Authentication (SCA) through verification of customer identity and validation of specific payment instructions. The new rules aim to enhance the security of payments and limit fraud during this authentication process.
The FCA has now agreed an 18-month window for providers to implement SCA. The plan reflects the recent opinion of the European Banking Authority that more time was needed to implement SCA given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.
During this period, no enforcement action will be taken against firms that do not meet the relevant requirements provided there is evidence that they have taken the necessary steps to comply with the plan. At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.
The FCA will also continue to monitor the extent to which banks and payment service providers are meeting its expectation that they consider the impact of SCA on different groups of consumers, and provide alternative means of authentication where needed.
Requirements for online banking will begin to be phased in from September 2019 as planned.
The changes will not be affected by the UK leaving the EU, either with or without a deal.