The payments and ecommerce industry has won a last minute reprieve from the Financial Conduct Authority (FCA) over Strong Customer Authentication (SCA) rules: earning 18 months more to introduce new payments security measures required under Europe’s PSD2 directive, which were set to come into force on September 14.
The move comes just four weeks before the PSD2 deadline and amid increasingly vocal concern from an industry – that critics say was caught napping – about its lack of readiness for SCA, as well as initial resistance from European regulators.
The extension follows a late-June opinion from the European Banking Authority (EBA) in which the clearly frustrated regulator said that “on an exceptional basis” national regulators may be able to provide limited additional time or implementation.
(“Sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in 2015, which gave clear indications that existing authentication approaches would need to be phased out,” it grumbled in the opinion).
Strong Customer Authentication Delay: 18 Months More
Deep Labs CSO Mike Lynch earlier told Computer Business Review “organisations did not consider the complexity” of introducing SCA into their systems.
SCA involves the introduction of robust additional security authentications including 2FA for most majority of online transactions over €30 (roughly £26).
In a statement published Tuesday, the FCA said: “The plan reflects the recent opinion of the European Banking Authority (EBA) which set out that more time was needed to implement SCA given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.”
Jonathan Davidson, the FCA’s executive director for supervision – retail and authorisations, said: “The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.
The decision drew a mixed industry reaction. Shane Happach, EVP, Head of Global eCommerce, Merchant Solutions, FIS, said in an emailed comment: “While we are supportive of the extra implementation time… it is critical the industry still drives towards the ultimate goal of protecting consumers against fraud.
“[The extension] risks causing a loss of momentum around the long term aims of PSD2, which are to reduce fraud and protect consumers. It’s now of utmost importance that other European regulators follow suit by announcing their implementation plans soon, to ensure a harmonised approach to SCA adoption.”
Under SCA two-factor authentication is required for payments above the 30 euro threshold. As Mike Lynch earlier told us: “[As well as 2FA], strong customer authentication requires: secure communication sessions so that an authentication code or push notification cannot be altered or intercepted; software authenticity, maintained through tamper-proof features to ensure that the amount of the transaction and the payee/beneficiary of the transaction are safeguarded during all phases of the authentication, including generation, transmission, and usage, and separate and secure execution environments, as per the [PSD2] articles.”