The second Payment Services Directive (PSD2) has been a long time in the making, but the sector still isn't ready for it. From creating and testing the necessary Application Programming Interfaces (APIs), through to implementing Strong Customer Authentication (SCA), to embedding the use of eIDAS certificates - the to-do list just keeps growing. The recent FCA decision to adopt a phased rollout of SCA for online banking and e-commerce offers a much needed lifeline, and puts the UK payments industry on a stronger footing for successful implementation of the Directive. But it’s important to use this extension wisely and keep up momentum to meet the new implementation dates.
A quick recap
The legal deadline for compliance with SCA implementation was 14 September 2019, but the FCA has deferred active supervision until March 2020 for online banking and March 2021 for e-commerce. The latter is dependent on firms being able to demonstrate that they are working to the rollout plan produced by UK Finance.
What this means for e-commerce
The trade association UK Finance was particularly concerned about the effect of these changes on commerce and consumers, and successfully petitioned for a phased rollout. Its main worry was that the lack of readiness would lead to many transactions being automatically declined and to a higher risk of fraud, leading to potential disruption and harm to consumers. As such, it laid out the following plan, which has been approved by the FCA:
- 14 September 2019 - Compliance point 1:
SCA introduced but transactions that aren’t compliant won’t be automatically declined
- 1 February 2020 – Step ups commence:
SCA to be more widely used, applying Risk-Based Authentication (RBA) and One Time Passcodes (OTP)
- 14 March 2020 – Compliance point 2:
Issuers should be able to support 3DSv2.X and merchants should be testing with v2.1 and 2.2
Small merchants to be targeted for awareness
- 14 September 2020 – Compliance Point 3:
Increased adoption rate and mass rollout. Focus on customer readiness
Proposed EU wide card scheme mandate to incentivise merchant to move to 3DSv2.2
- 14 March 2021 – Active supervision:
Behavioural biometrics and OTPs to be applied
Transactions which are not compliant with SCA requirements will be declined
What this means for online banking
Account Servicing Payment Service Providers (ASPSPs) were required to have a secure interface in place by September 2019, to share information with third parties. The interface must be fully functional and robustly tested through wide usage. As this isn’t universally the case, the FCA has agreed to allow firms relying on screen scraping to continue the practice during the transition period, which means not applying SCA. The key reason for this is to allow third party providers to continue to access account data services and continue to provide their services in the short term.
Where APIs are in place, TPPs may use alternatives to electronic identification, authentication and trust services (eIDAS) certificates as needed. ASPSPs should inform TTPs of which ones they will accept.
Keep moving forward
It’s important to maintain the focus on the final SCA changes and stay on target with the phased rollout plan. The FCA highlight the risk of fraud during this period and the importance of keeping consumers up to date on the changes. Proactive horizon scanning and keeping up to date with industry bodies (such as the Open Banking Implementation Entity or UK Finance) will help to establish best practice and support a successful implementation of SCA and PSD2 across the UK.