Open Banking: new regime for Secure Customer Authentication (SCA)
In the turbulent Brexit environment, businesses have been deluged with challenges and for many of them the SCA has entirely dropped off the radar.
In the face of such widespread ignorance of the new system, the regulatory authorities are temporarily allowing some leeway but retail and payment businesses need to act urgently to bring themselves into compliance.
What is the SCA?
The SCA is the requirement, under the Payment Services Directive 2 (PSD2), for authenticating online payments. The object is to reduce fraud and make online payments more secure.
If an online shopper spends more than about £28 (€30 under the EU directive), payment providers would be required – in the absence of an exemption - to ask for an extra form of verification. This might take the form of:
- something the shopper knows i.e. a PIN or password;
- something the shopper has such as a smartphone; or
- something the shopper is i.e. biometric facial features or a fingerprint.
There are a number of exemptions to SCA, for specific types of low-risk payments. Payment providers would need to make request for these exemptions from the cardholder’s bank when processing the payment. The cardholder’s bank will then receive the request, assess the risk level of the transaction, and ultimately decide whether to approve the exemption or whether authentication is still necessary.
Businesses need to build additional authentication processes into their systems so that shoppers must complete them before completing any online payment. This will be a significant burden for many businesses.
Breathing space from the FCA
The FCA is delaying the enforcement of the SCA in certain cases, and this provides breathing space for businesses to bring themselves into compliance.
On 13 August 2019, the FCA announced that it had agreed an 18-month plan to implement SCA with the representatives of e-commerce industry of card issuers, payments firms and online retailers.
The FCA stated that it “will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan”.
The phased roll out plan seeks to ensure that businesses are fully compliant by 14 March 2021.
What should business be doing now?
It is important to note that the FCA announcement does not change the fact that the SCA came into effect on 14 September 2019.
Businesses can only benefit from the effective grace period permitted by the FCA where they can provide evidence that they are taking steps to comply with the SCA.
If this is not the case, businesses may face enforcement action, which can potentially include a fine.
If not prepared for properly, SCA could come at a heavy cost for businesses big and small. After March 2021, non-compliant transactions will simply be declined by the cardholder’s bank. This, coupled with the additional friction caused by consumers’ having to doubly authenticate transactions, means there could be a significant negative impact on conversion.
Even where a business has already taken some steps, it cannot sit back until 2021. Firms must use the interim period to ensure that they have the necessary systems in place to guarantee full compliance before the expiry of the grace period. Businesses need to be able to demonstrate to the FCA that they have prepared a suitable action plan to ensure compliance. The FCA will monitor the extent to which businesses are meeting the SCA requirements.
UK Finance, the industry trade body, welcomed the FCA's breathing space announcement and provides guidance to businesses on the actions they should take, which can be found on their website.
Benefits of the SCA regime
Although the SCA and PSD2 give rise to inevitable compliance costs, in the long run they may be positive for the industry.
They should help to protect customers and drive competition and innovation across the sector. Businesses can use this opportunity to review their processes to maximise their customers’ overall shopping experience.
As the physical retailers continue to suffer, the digital operators will be well-placed for further growth if customers can be assured of the safety of online payments and confident that they will not fall victim to cybercrime.
The UK is a leader in the sector and there are huge opportunities from which businesses can benefit. The sector has attracted significant investment from overseas investors and earlier this year UK payments processor Worldpay changed hands under a $43 billion takeover by a US rival.
Despite the economic and political uncertainty in the UK, the UK payments and fintech sector is thriving and the enhanced authentication systems should serve to strengthen their business model and deepen consumer confidence. This will increase the attraction of online shopping at the expense of the High Street.