Dear CEO | Release Date: 20th August 2019
To read a longer summary of this Dear CEO letter, click here.
To access the original FCA document, click here.
Short Summary
From 14 September 2019, the Payment Services Regulations 2017 mandates that all payment services providers (PSPs) apply Strong Customer Authentication (SCA) for electronic payment transactions initiated by users. This directive is aimed at boosting the security of payments and curbing the risks of fraud, particularly in card-not-present (CNP) e-commerce transactions.
Recognising industry concerns regarding the readiness to implement these SCA requirements fully by the stipulated deadline, the European Banking Authority (EBA) has allowed the Financial Conduct Authority (FCA) and other national authorities some flexibility to provide firms additional time for compliance. Consequently, the FCA has endorsed an industry-coordinated plan facilitated by UK Finance to implement SCA for CNP e-commerce transactions efficiently. This plan, detailed at UK Finance’s website, aims for full implementation by 14 March 2021.
The FCA has clarified that while the legal deadline for SCA compliance remains 14 September 2019, it will not enforce action against firms for non-compliance specifically in the area of CNP e-commerce transactions until after 14 March 2021, provided these firms are actively working towards meeting the requirements as per the coordinated industry plan.
Firms are urged to engage with their trade associations and UK Finance to align with the broader industry effort and ensure they are on track with the agreed implementation plan. Additionally, firms must continue managing fraud risks effectively and maintain transparency with consumers to mitigate potential disruptions in payment processes.
Key Take-Aways and Actions:
Firms should collaborate with the industry to meet the SCA requirements by the March 2021 extended deadline and ensure measures are in place to accommodate all consumers, including the vulnerable and those without digital access. Compliance with this directive is crucial to avoid enforcement actions post-March 2021 and to support the overarching goal of securing electronic payment environments.