The Financial Conduct Authority (FCA) has responded to the European Banking Authority’s (EBA) opinion on Strong Customer Authentication (SCA), agreeing that some firms will be given extra time to implement the rules.

Last Friday, the EBA noted key industry questions about which authentication factors comply with the requirements for SCA – a key part of the revised Payment Services Directive (PSD2).

In response to concerns about industry preparedness and ability to comply with the requirements, the opinion allows the FCA to give some firms extra time to implement SCA.

The legal deadline for complying with the regulatory technical standards remains 14 September 2019. “However, the FCA recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this,” the British regulator’s statement read.

“We aim to quickly agree a plan with stakeholders across the industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way,” the FCA continued, adding that it would cooperate with industry stakeholders and other authorities, including the Payment Systems Regulator, “to ensure delivery of the blueprint at pace”.

Once the group has finalised and agreed a plan, the FCA expects all participants to meet the agreed milestones, targets and final delivery date.

“We will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September in areas covered by the agreed migration plan, where there is evidence that they have taken the necessary steps to comply with the plan,” it added.

SCA is defined in PSD2 as an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.

Share Story: