pressmaster - stock.adobe.com
The Financial Conduct Authority has given an extra six months for businesses that process payments to meet the Strong Customer Authentication (SCA) rules.
Payment processing companies now have until 14 September 2021 to meet the regulations, which is part of the EU’s Payment Services Directive 2 (PSD2).
SCA rules mean that any online payments worth more than €30 would require two methods of authentication from the person making the payment, such as a password, biometric authentication such as a fingerprint, or having a phone that can identify them.
The EU’s PSD2 enables third parties to access the customer data held by banks via application programming interfaces (APIs), if customer consent is granted, and offer services using this information.
The original FCA deadline was September 2019, but this was extended to 14 March 2021 due to the “complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers”, according to its statement.
The Covid-19 pandemic has now forced a further delay. “[Due to] the exceptional circumstances of the Covid crisis, we are giving the industry an additional six months to implement strong customer authentication (SCA) for e-commerce,” said the FCA. “This will minimise potential disruption to consumers and merchants.”
The FCA said UK Finance will coordinate industry discussions about a phased implementation plan and a critical path which can be agreed with the FCA.” In the meantime, firms should continue with the necessary preparatory activities, such as robust end-to-end testing.”
Read more about strong customer authentication
- Financial Conduct Authority gives companies under its watch an extra 18 months to meet an EU payments security standard.
- The original deadline for PSD2 compliance quietly passed by at the weekend but it will be another 18 months before UK businesses meet the regulation’s rules on customer authentication.
- The announcement that the FCA was given permission to give extensions to companies implementing Strong Customer Authentication (SCA) was a gentle reminder that a major deadline was close.
Any organisation that fails to comply with the requirements for SCA after 14 September 2021 will face supervisory and enforcement action, added the FCA.
Last week, payments processors across Europe called on the continent’s banking regulator to extend the deadline for meeting the SCA as the Covid-19 crisis strains resources. Businesses are directing all resources possible to surviving the current global crisis, with limited resources left for projects such as SCA compliance. This is being made worse by lockdowns and staff cuts.
On behalf of non-bank payment processors, which it represents, the European Payment Institutions Federation (EPIF) – made up of the likes of Visa and Mastercard – wrote to the European Banking Authority requesting more support, including a six-month extension to the deadline.