The Financial Conduct Authority (FCA) has confirmed an 18-month grace period in which UK firms can become compliant with the EU's PSD2 strong customer authentication rules
FCA grants more time for PSD2 compliance
Strong customer authentication (SCA) in the UK has been given an 18-month phased introduction period by the Financial Conduct Authority (FCA), providing payments firms with more time to prepare for its implementation.
The financial watchdog today confirmed the delay to the full roll-out of the latest stage of the revised Payments Services Directive (PSD2) regulation, which is due to be enforced across the European Union on 14 September.
Industry groups have been appealing for more time to prepare for the new online security standards, which will require financial institutions to put in place a two-factor authentication process for online transactions over €30.
FCA executive director for supervision in retail and authorisations Jonathan Davidson said: “The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster.
“While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves so we have agreed a phased plan for their timely introduction.”
The agreement will be extended to card issuers, payments firms and online retailers in the e-commerce industry.
FCA gives 18-month grace period for compliance with strong customer authentication standards
SCA is intended to improve the security of online payment authentications and, in doing so, lessen the likelihood of fraudulent activity.
It is the second phase of the EU’s PSD2 legislation, which was first introduced in January last year as a means of increasing innovation and competition in the European finance industry by opening up access to customer data to third party service providers.
The FCA says firms not yet compliant with the new authentication standards will be exempt from enforcement action after the September 14 deadline, provided there is evidence that they have “taken the necessary steps to comply” with its phased implementation plan.
After the 18-month grace period, the regulator expects all firms to have “made the necessary changes and undertaken the required testing to apply SCA”.
Industry pressure for FCA to soften strong customer authentication deadline
The decision to push back the deadline for full regulatory compliance comes following industry pressure to give firms more time to prepare.
In June, the European Banking Authority opened the door for regulators to delay the full extent of SCA rules when it published an opinion paper acknowledging “the complexity of the payments markets across the EU and the challenges arising from the changes that are required”.
It also sanctioned “limited additional time” for firms to achieve compliance.
Trade organisation UK Finance was part of this push for a phased roll-out, and conveyed proposals to the FCA for a more gradual introduction of SCA.
Its managing director for personal finance Eric Leenders said: “Fighting fraud must be a priority for everyone and these new rules will be an important tool in protecting customers, helping keep them safe when they shop online.
“Today’s FCA plan, which supports our proposals for a managed roll-out, will help the industry ensure a timely migration to SCA and result in the best outcomes for consumers while effectively balancing both convenience and security.
“The banking and finance industry has worked closely with the FCA, retailer groups and other stakeholders to deliver these required changes in a way that minimises any disruption for consumers and businesses.
“We want to ensure that the convenience of making an online payment is balanced with these increased security standards.”
Other financial regulators across the EU are reported to be considering similar actions as the PSD2 deadline approaches.
Strong customer authentication will require extra security step to verify online transactions
Strong customer authentication will introduce an additional step of security to online transactions, with financial services firms required to develop their technology to accommodate the development.
Instead of just supplying a password to authenticate a payment, customers will have to provide an extra form of identification, such as a code sent to a mobile phone or biometric data like a fingerprint or facial recognition.
Leenders added: “We expect that providers will have appropriate solutions in place to allow their customers to authenticate themselves.
“This could mean your bank or provider using text message, phone call, banking app or card reader to check your identity.
“Other methods are available and more are being developed that will make it even easier to shop more safely online in the future, including biometric technologies that could allow customers to be identified with something as simple as a thumbprint.”