SCA-RTS: Key proposed changes
Following discussions with the industry, trade bodies, and responses to its recent Call for Input on Open Finance, the FCA has identified barriers to successful competition and innovation in the UK payments landscape posed by requirements in the onshored SCA‑RTS. The FCA proposes the following amendments to the SCA-RTS to address these barriers:
- ASPSPs need no longer require their customers to perform SCA every 90 days when the customer uses a TPP to provide account information services (AIS), although SCA will be required when customers first connect their account to that service.
- AISPs will continue to be able to access a customer account without the customer’s active request to do so, up to four times a day, but will now need to reconfirm the customer’s explicit consent every 90 days.
Access Interface for TPPs
- The use of dedicated interfaces, rather than modified customer interfaces (MCIs), will be mandatory for:
- personal current accounts;
- accounts that would fall under the definition of payment accounts within the meaning of the PARs but that are held by SMEs; and
- credit card accounts held by consumers or SMEs.
- Certain account providers/accounts would be excluded from the above requirement, meaning that the use of MCIs will remain a compliant alternative for TPP access to:
- accounts provided by small payment institutions (SPIs) and small e-money institutions (SEMIs);
- firms relying on the temporary permissions regime (TPR) or supervised run-off regime (SRO); and
- non‑SME corporate customer accounts.
- Firms will be given up to 18 months to implement this change after the guidance is finalised.
Technical specifications and testing facilities
- Technical specifications and testing facilities for interfaces may now be made available at the launch of new products and services: they are not required six months in advance.
- The obligation to maintain a contingency mechanism will kick in six months after launch, allowing account providers time to develop such an interface, or to request the exemption.
Contingency mechanism exemption (CME)
- EEA ASPSPs operating under the TPR or SRO will be able to rely on any home state CME until they apply to the FCA or the PRA for authorisation. At that point they will need to apply to the FCA for a new exemption.
- The single and cumulative transaction thresholds for contactless payments will rise from £45 up to £100 (or potentially a maximum of £120) and from £130 to £200 respectively.
Approach Document: Key proposed changes
The FCA is also suggesting changes to its Approach Document to reflect changes resulting from Brexit and the onshoring process, and also to explain how the regulations, rules and guidance apply to firms within the TPR or SRO. These changes include the amendment of Article 34 of the SCA-RTS (that now requires account providers to accept at least one other electronic means of identification issued by an independent party, in addition to eIDAS certificates).
TPPs, SCA and dynamic linking
The document is also being updated to reflect developments over the past two years, including certain Q&A responses and opinions from the EBA and the European Commission on SCA and the RTS, and industry input. These include:
- Dynamic linking for transactions where the final amount is not known: As before, SCA need not be repeated where the eventual transaction amount is lower than that originally agreed. However, the FCA is also allowing a tolerance of up to 20% above the original amount before requiring SCA.
- Liability for fraudulent or unauthorised transactions: In relation to allocation of liability for losses arising from a fraudulent or unauthorised transaction, the FCA confirms that the payee’s PSP (e.g. an acquirer) should be liable where it (rather than the account provider) triggers an exemption and the transaction is carried out without applying SCA.
- SCA elements: The FCA confirms that:
- a device could only be used as evidence of possession where there is a reliable means to confirm possession;
- static card data can neither constitute a knowledge factor nor a possession factor; and
- behavioural biometrics could constitute inherence and that inherence ‘relates to physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these’, and clearly states that inherence excludes other individual properties, such as spending patterns.
- Authentication code: An authentication element used to access a payment account online (including via a mobile) may be reused for a payment initiation within the same online session (i.e. a “persistent first factor”). Dynamic linking would need to use the SCA element relied on at the time the payment is initiated.
- Merchant-initiated transactions: These are out of scope of SCA (unless the payer’s initial activity in setting up such transactions involves a remote channel that implies a risk of fraud etc., in which case that process of setting up must involve SCA).
- Information sharing from ASPSPs to TPPs: ASPSPs must share the name of the account holder with PISPs, if the name is shown to the customer in their online account. The same applies to the account number and the sort code if these are shown to the customer after they make a payment.
Prudential risk management and safeguarding
The draft changes to the Approach Document also include the FCA’s proposal to make its July 2020 temporary guidance on safeguarding and prudential risk management permanent and to consolidate its guidance on risks and controls relating to the insurance method of safeguarding as provided in a December 2019 letter to firms’ compliance officers (Appendix 3 to the consultation paper), extending it to the guarantee method of safeguarding.
The FCA has also taken the opportunity to clarify its expectations on notifications under the Limited Network Exclusion and Electronic Communications Exclusion.
Approach Document: possible future changes
- Impact of DenizBank case: The FCA is considering any potential impact of the recent European Court of Justice judgment in the DenizBank case and its conclusions on contactless card payments and is leaving the door open to future amendments to the Approach Document if considered appropriate. Take a look at our separate article for more on the DenizBank judgment.
- New special administration regime for PIs and EMIs: In the context of the new special administration regime for PIs and EMIs that is expected to come into force later in 2021, and HM Treasury also consulting on extending certain powers in Part 24 of FSMA to PIs and EMIs to provide the FCA with powers to participate in an insolvency process of an FCA authorised or registered entity, the FCA will consider whether any consequential amendments to the Approach Document are required.
Given the current COVID-19 crisis, the FCA plans to respond to feedback received on the consultation questions relating to contactless payments as soon as possible after 24 February 2021. The deadline for the rest of the consultation is 30 April 2021.
Authored by James Black, Charles Elliott, Julie Patient and Virginia Montgomery