Payment providers operating in the UK are still planning to introduce Strong Customer Authentication (SCA) this year – despite regulators giving them until next March (2022) to comply.
The new rules, which require a two-step verification process for all online purchases, were due to come into force on September 14, but the Financial Conduct Authority has announced a further six month extension to minimise disruption to merchants and consumers.
“The new March 14, 2022, deadline is the latest we expect full SCA compliance for e-commerce transactions,” it said in a statement.
However, Jana Mackintosh, managing director of payments and innovation at industry body UK Finance, said providers expected to be compliant over the coming months.
“Firms will continue to work towards implementing Strong Customer Authentication from June 2021 as planned,” she said.
Mackintosh pointed out that while the enforcement deadline has been pushed back, the industry continues to fight fraud on all fronts.
“It’s investing millions in advanced security systems to protect customers and supporting law enforcement to combat the organised criminal groups responsible for fraud,” she added.
Mark Anderson, multipay product manager at PayPoint, welcomed the FCA’s decision to give the industry some more breathing space as the country emerges from lockdown.
“The FCA’s decision to extend the deadline simply reflects its understanding of the challenges online businesses have faced and gives them more time to employ the strongest customer authentication (SCA) processes for the long-term,” he said.
However, Anderson emphasised that implementing SCA by the new deadline will still be critical for any business accepting card payments.
“While many may not have the resources available to invest in the changes required, by working with a digital payment provider they can quickly and cost-effectively protect their customers and comply with the regulations,” he added.
Anderson also pointed out that existing merchants had reported positive effects of increased security measures and weren’t against the new regulations.
“They have significantly enhanced their control of the authentication process without sacrificing the user experience, making it a win-win for businesses and their customers,” he added.
Other payment providers we contacted this week were less willing to go on the record with reactions to the FCA’s extension.
PayPal declined to comment, while Stripe confirmed it will work to the FCA’s guidelines.
The SCA standards were developed under the second EU Payment Services Directive (PSD2) and came into UK law following Brexit.
The aim was to enhance security and limit fraud by ensuring banks and payment providers know the person requesting access to the account is either the customer or has their consent.
While the new standards took effect in EU law back in September 2019, the European Banking Authority (EBA) granted national authorities permission to relax their approach to enforcement.
The FCA had previously endorsed an industry-led plan to be fully compliant by March 14, this year – along with regular milestones to achieve certain goals. It then moved the deadline back six months to September 14, in response to the coronavirus crisis, saying at the time that this represented “exceptional circumstances” for everyone.
With its latest extension, the FCA once again highlighted the ongoing challenges facing the industry to be ready by this deadline.
“We previously agreed to give firms extra time to implement SCA for card-based e-commerce transactions in response to concerns about industry readiness, and to limit the impact on consumers and merchants,” it stated.
However, the statement also emphasised the importance of embracing the new regulations.
“We welcome the implementation of SCA solutions which protect consumers while minimising the potential for disruption to customers and merchants,” it added. “We still expect firms to continue to take robust action to reduce the risk of fraud.”
Andrew Barber, a payments expert at law firm Pinsent Masons, believes this latest extension shows just how monumental a task it is for merchants to implement SCA for e-commerce transactions.
“Given the sheer scale of e-commerce activities and the complexity of the systems involved, the initial implementation period the EU set for SCA was clearly ambitious and the FCA is now rightly making adjustments to meet the realities of what industry is able to achieve,” he said.
Barber pointed out that the lesson to be learned was for industry and regulators to engage early and fully, while setting achievable timelines.
Rebecca Kimber, chief executive officer of Create.net, a Brighton-based provider of e-commerce websites, believes the extension will be welcomed by traders.
“From our store owners’ perspectives, it’s one less thing to worry about amongst the pandemic and Brexit-related changes like the upcoming EU VAT changes,” she said. “However, it’s a blow to greater security of online payments and the reduction in fraud which affects a lot of small businesses.”