The UK’s Financial Conduct Authority (FCA) has confirmed that the implementation of new rules aimed at boosting the security of payments and reducing fraud will be delayed for 18 months.
The FCA’s move gives the country’s e-commerce industry until March 2021 to implement ‘Strong Customer Authentication’ (SCA) rules, which will govern how banks or payment services providers verify customers’ identities and validate payment instructions. The SCA rules were originally intended to come into force at the beginning of this week.
SCA, which is part of the EU’s Second Payment Services Directive (PDS2), will introduce ‘two-factor authentication’, ensuring that many payments will require people to provide two of three means of verifying their identity: something you have (for example, a card or mobile phone); something you know (for example, pin number or the mobile phone access code); or something you are (for example, fingerprint or face recognition).
The FCA’s move reflects the European Banking Authority’s (EBA’s) June decision that national regulators could give providers more time was needed to implement SCA. Last month, the FCA confirmed that, at the end of this new 18-month “phased implementation” period, the FCA “expects all firms to have made the necessary changes and undertaken the required testing to apply SCA”.
Jonathan Davidson, the regulator’s executive director for supervision – retail and authorisations, explained in an FCA statement: “The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves. So we have agreed a phased plan for their timely introduction”.
Elsewhere in Europe
National regulators in other EU member states have, like the FCA, been signalling that they would be flexible in policing the implementation of new EU regulations.
The Central Bank of Ireland on 8 August put out a statement referencing “a limited migration period” and said it would “continue to engage with the EBA and other National Competent Authorities in the European Union in relation to this issue, aiming to agree a harmonised approach to the migration time periods across the European Union. The Central Bank of Ireland will continue to communicate on this issue as it develops”.
The European Banking Authority (EBA) had announced on 21 June that “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September, NCAs [National Competent Authorities] may decide to work with payment service providers [PSPs] and relevant stakeholders, including consumers and merchants, to provide limited additional time”.
The EBA said then that “in order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.”
Reaction in the UK
In the UK, trade association UK Finance was one of those to respond to the FCA’s move. Its managing director of personal finance, Eric Leenders, said the FCA’s “managed rollout” will help industry “ensure a timely migration to SCA and result in the best outcomes for consumers while effectively balancing both convenience and security”.
But Computer Business Review said that the FCA’s confirmation of the 18-month delay mean that the payments and e-commerce industries have “won an open banking reprieve.”