Skip to main content
Insight

Further delays to SCA – a strong decision or a reality check?

John Worthy
26/05/2021

Locations

United Kingdom

The FCA's move to postpone the deadline for PSPs to introduce strong customer authentication until March 2022 is an acknowledgement of the challenges facing the payment services industry, but also raises questions about the fraud resilience of online payments.


 
On 20 May 2021, the UK's Financial Conduct Authority (FCA) announced a further delay to the deadline for banks and other payment service providers (PSPs) to introduce strong customer authentication (SCA) until March 2022 – six months later than previously planned.
 
The FCA said that the extension is designed to "ensure minimal disruption to merchants and consumers, and recognises ongoing challenges facing the industry to be ready by the previous 14 September 2021 deadline".
 
The FCA added that "we still expect firms to continue to take robust action to reduce the risk of fraud".
 
The regulator originally gave PSPs until March 2021 to introduce full SCA procedures according to a phased timeline. It subsequently agreed to give firms extra time to implement authentication systems for card-based e-commerce transactions in response to concerns about industry readiness.
 
The FCA then provided an additional six-month extension in response to the Covid-19 pandemic, before putting off the deadline again until March next year.
 
Delay – preferable to a cliff edge?
 
Given the growing use of online payments and increasing prevalence of fraud against consumers, this latest extension has prompted questions about whether imposing industry-wide SCA standards for PSPs is too ambitious.
 
The SCA standards aim to enhance security and prevent fraud, by ensuring banks and other PSPs know who is requesting access to an account or making a payment.
 
The standards were developed under the second EU Payment Services Directive (PSD2) and have been effective in the UK under EU law since September 2019, and have notionally been in force since then.
 
The FCA's latest rescheduling of the SCA deadline for e-commerce reflects its recognition that the combination of the pandemic and the systems adjustments required for SCA have proved more challenging than expected – for PSPs, merchants and consumers who need to get used to enhanced security.
 
PSPs have been working on the upgrades for some time and many have now achieved the required readiness levels.
 
However, for those that are not ready, the FCA seems to have decided that giving these parties more time to get their systems up to scratch is preferable to imposing fines or forcing them to rush implementation.
 
Merchants have also needed to take the changes on board. Some merchants in EU member states have struggled with a substantial drop in conversion rates, as consumers have found the increased friction in the transaction flow daunting.
 
But while some have continued to have difficulties with the system and process adjustments, the problems are not expected to be insurmountable.
 
More significantly, as the legal requirements are built into UK law (as well as EU law), this latest postponement should be seen as offering some breathing space in the UK, rather than as a step towards avoiding the requirements in the longer term.
 
Impact on EU-UK payments
 
With the UK ostensibly lagging the EU on SCA, there have also been questions about the possible negative impact on online payments between the UK and the EU.
 
However, in reality, the further FCA extension means that cross border payments will continue to be subject to existing multi-level compliance requirements, given that the European Banking Authority (EBA) deadline for SCA in ecommerce passed in December 2020. 
 
PSPs and merchants with cross-border operations in the UK and Europe will need to continue operating a delicate balance of payment processes, reflecting the different approaches required according to the location of the parties, and their varying fraud prevention processes and degrees of PSD2 compliance.
 
This article was authored by John Worthy, technology, outsourcing and privacy partner at Fieldfisher.
 
 

Sign up to our email digest

Click to subscribe or manage your email preferences.

SUBSCRIBE