The Financial Conduct Authority (FCA) has confirmed that due to the exceptional circumstances of the COVID-19 crisis, it is "giving the industry an additional six months to implement Strong Customer Authentication (SCA) for e-commerce".

The new timeline of 14 September 2021 replaces the 14 March 2021 date. The regulator stressed that firms are required to take all necessary steps to comply with the revised detailed phased implementation plan and critical path to avoid the risk of enforcement action.

"We expect UK Finance, as coordinator for the industry, to discuss the detailed phased implementation plan and critical path with all stakeholders and agree it with the FCA as soon as possible," read a brief statement. "In the meantime, firms should continue with the necessary preparatory activities such as robust end-to-end testing."

After 14 September 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action, it added.

The move follows news earlier this week that the European Payment Institutions Federation (EPIF) called on the European Banking Association (EBA) and the European Commission to add an extra six months to the already delayed implementation of SCA rules due to the impact of the Coronavirus.

Last October, the EBA extended the deadline for the migration to 31 December 2020. Under the second Payment Services Directive (PSD2), SCA is defined as an authentication based on the use of two or more elements: knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is).

A letter addressed to EBA chair José Manuel Campa - co-signed by Ecommerce Europe, EuroCommerce, European Payment Services for Merchants, European Payment Institutions Federation, European Hotel Forum, EU Travel Tech, Independent Retail Europe, Digital Europe, Visa and Mastercard - explained that while 3DSecure implementation is progressing across Europe, "it is now clear that the COVID-19 crisis has significantly reduced the capacity available to progress SCA development and implementation".

The exceptional circumstances of this disease is putting an additional strain on the limited resources for all parties involved in the payment chain - especially the travel and hospitality sectors - it argued.

"Given these pressures, merchants cannot accommodate any additional risk of payment disruption," the letter stated. "Making technology changes when in crisis mode, with technical teams working remotely, adds significant risk to any deployment which could lead to further disruption, confusion and a worse customer experience."

The payments ecosystem involves a high number of dependencies and parties must work together to implement SCA, noted the EPIF. "The constraints the current crisis places on the roll out of SCA technology severely limits the time available for participants to test together, which is essential to a safe and controlled implementation - critically, the time lost during lockdown will not be able to be recovered later in the year due to system freezes pre-peak trading."

The signatories therefore called for appropriate additional measures and coordination to assist in the smooth transition to SCA in all EU Member States equally.

"In the light of COVID-19, this should also include the possibility of an at least additional six months for the market to be fully SCA ready," the letter concluded.

Commenting on the news, ACI Worldwide's director fraud management Amanda Mickleburgh agreed that pushing back the deadline makes sense during these exceptional circumstances.

“To avoid a ‘clunky’ roll out of SCA it is important that all members of the payment value chain are ready - the current pandemic clearly inhibits this and will place delays on businesses being able to complete deployment.”

Share Story: