Skip to content

FCA cuts payment services firms some slack on SCA rules

What happened?

Earlier this month, just days ahead of the 14 September implementation date, the FCA announced that payment services providers have a little longer to prepare themselves for certain aspects of the Strong Customer Authentication (SCA) rules.

The regulator has announced two separate extension periods. The first allows third-party providers to continue accessing payment accounts online using screen-scraping for another six months. The second provides extra time for the introduction of two-step authentication for cardholder-not-present transactions.

Background

The SCA rules (as set out in the Payment Services Regulations 2017) require banks, payment services providers and third-party providers (TPPs) to take additional steps to validate customers’ identity and payment instructions when they attempt to access their account or make a payment.

The FCA had become aware that some Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) (collectively known as TPPs) in the payment services sector might struggle to continue operations compliantly after the 14 September deadline.

To avoid disruption for customers, the regulator has allowed the following two extension periods.

Carry on scraping

The FCA has given firms that offer payment accounts until 14 March 2020 to create a dedicated interface (via Open Banking protocols) for communicating securely with TPPs.  During this period, TPPs will be permitted to continue using screen-scraping to access payment accounts online.

The FCA had implemented requirements for Account Servicing Payment Service Providers (ASPSPs) to put in place a means of providing TPPs with access to account data and payment functionality by 14 September 2019. The regulator had required that the selected method – either a dedicated interface based on Application Programming Interface standards (APIs) or a Modified Customer Interface (MCI) – should be compliant with the EU’s Second Payment Services Directive (PSD2).

The newly announced adjustment period recognises that some ASPSPs may have been slower than hoped to provide TPPs with API access. The FCA has now said that where an ASPSP had not made all payment accounts accessible by APIs by 14 June 2019, it should continue allowing screen-scraping during the adjustment period and not apply SCA rules to account access until 14 March 2020.

The regulator now stipulates simply that payment services providers should ‘move to API access where available as soon as possible’. From 14 March next year, however, any failure by payment services providers to comply fully with the requirements for SCA rules and identification will result in supervisory and enforcement action.

The FCA has stressed that, during the adjustment period, TPPs should use an eIDAs or an equivalent certificate to identify themselves. Where this is not possible, for example when using screen scraping to access accounts, they need to be transparent and open about their identities.

SCA delay for online payments

Responding to industry concerns about lack preparedness for applying SCA rules to card transactions where the cardholder is not present, the European Banking Authority has assented to the FCA allowing firms an additional eighteen-months to implement SCA rules on such transactions.

The FCA has now accepted an industry-wide plan prepared by UK Finance for achieving this as soon as practicable. Provided they can demonstrate taking steps to comply with this plan, firms will not now risk disciplinary action before 14 March 2021.

In the meantime, however, the FCA has stressed that it expects firms to continue taking all appropriate steps to manage fraud risk and to be open and transparent with consumers and merchants to minimise disruption.

How can Thistle help you?

For practical expert advice on this or any other regulatory issues affecting payment service providers, you can call on Thistle. We can help you understand exactly what’s required of your firm to comply with SCA rules. We also have the experience and expertise to help with FCA open banking applications.

Our dedicated Payment Services team works with payment initiation services providers (PISPs), account information service providers (AISPs) and other payment services providers. We advise on everything from FCA applications, small payments institution registration, and REP018 submissions to auditing, financial crime, and regulatory returns.

To find out more, visit our Payment Services page – or simply call us on 0207 436 0630 or email info@thistleinitiatives.co.uk.