What has happened?
The Financial Conduct Authority (FCA) has announced a plan to extend the timetable for the implementation of strong customer authentication (SCA) under PSD2.
What does this mean?
Under the 18-month plan, which relates to e-commerce card transactions, the FCA will not take enforcement action against firms which do not comply with SCA from 14 September 2019 in areas covered by the plan, as long as there is evidence they have taken steps to comply with it.
After the 18-month period (up to March 2021), the FCA expects all firms to have made the necessary changes and be able to apply SCA.
The FCA will also be monitoring how well banks and payment service providers consider the impact of SCA on different groups of consumers, as well as alternative means of authentication if necessary.
On the same day, the FCA published a new webpage on SCA on which it states that for online banking the implementation of SCA will be completed by 14 March 2020, ie allowing a six-month phased implementation. It is unclear how this relates to the ‘adjustment period’ mentioned below.
It has also been reported that the FCA has said it will be applying a six-month 'adjustment period' for access interfaces.
This suggests that it will not be taking action against either account servicing payment service providers (ASPSPs) or third party payment providers (TPPs) for breach of the Payment Services Regulations 2017/SCA RTS before March 2020. However, it will keep things under review and may shorten the period if 'sufficient progress' is made.
The FCA's communication suggests that the moratorium on enforcement action is on the basis of ASPSPs allowing continued screen scraping during the adjustment period, even where TPPs do not have an eIDAS certificate or cannot satisfy the customer authentication requirements.
This may require further modification of the customer interface by ASPSPs for the duration of the adjustment period in order to accommodate non-eIDAS certificates and provide workarounds for authentication. The FCA has stated that ASPSPs whose interfaces were ready by 14 June 2019 can, however, use those interfaces and will not necessarily have to continue to allow screen-scraping.
For a comprehensive and interactive look at all European and UK legal provisions relating to PSD2, together with latest news and insight from the Hogan Lovells Team, take a look at our PSD2 Toolkit.
Authored by Jonathan Chertkow, Emily Reid, Roger Tym, Julie Patient and Virginia Montgomery