FCA delays Strong Customer Authentication

The Financial Conduct Authority (FCA) has responded to the European Banking Authority’s (EBA) opinion on Strong Customer Authentication (SCA), agreeing that some firms will be given extra time to implement the rules.

Last Friday, the EBA noted key industry questions about which authentication factors comply with the requirements for SCA – a key part of the revised Payment Services Directive (PSD2).

In response to concerns about industry preparedness and ability to comply with the requirements, the opinion allows the FCA to give some firms extra time to implement SCA.

The legal deadline for complying with the regulatory technical standards remains 14 September 2019. “However, the FCA recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this,” the British regulator’s statement read.

“We aim to quickly agree a plan with stakeholders across the industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way,” the FCA continued, adding that it would cooperate with industry stakeholders and other authorities, including the Payment Systems Regulator, “to ensure delivery of the blueprint at pace”.

Once the group has finalised and agreed a plan, the FCA expects all participants to meet the agreed milestones, targets and final delivery date.

“We will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September in areas covered by the agreed migration plan, where there is evidence that they have taken the necessary steps to comply with the plan,” it added.

SCA is defined in PSD2 as an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.

    Share Story:

Recent Stories


Meet Evelyn, your Economic Sanctions/PEP/Adverse Media Alert Adjudication Analyst
Meet Evelyn, an Economic Sanctions/PEP/Adverse Media Alert Adjudication Analyst, who uses native AI/ML capabilities to automate the Customer/PEP screening and Negative News screening alert adjudication processes for leading BFS organizations with greater speed, accuracy, and consistency than human analysts.

New Business Frontiers
FStech’s Mark Evans discusses the future of financial services with Liu Jianning of Huawei, covering the limitations that current thinking can impose, how financial institutions can embrace technology to be both agile and resilient, and making space for the organisation to focus on the job of creating innovative business models and on delivering business value for their customers.

The Future of Intelligent Finance
FStech Group Editor Mark Evans sits down with Jason Cao, President of Global Financial Services Business Unit, Enterprise BG at Huawei ahead of its Intelligent Finance Summit which was held on 3rd and 4th of June in Shanghai. This Q&A delves into key trends in digital transformation of the financial services industry as well as a look at how data, robotic infrastructure, intelligent storage and innovative technologies are shaping the future for FSIs.