Dear CEO | Release Date: 20th August 2019
To read a shorter summary of this Dear CEO letter, click here.
To access the original FCA document, click here.
Long Summary
The Financial Conduct Authority (FCA) has mandated all payment service providers (PSPs) to implement Strong Customer Authentication (SCA) effective from 14 September 2019, as per the Payment Services Regulations 2017 (PSRs). This requirement aims to significantly enhance the security of payments and mitigate the risk of fraud, particularly in card-not-present (CNP) transactions common in e-commerce settings.
Context and Rationale for SCA Implementation
SCA is a critical component in the broader strategy to secure electronic payment environments against fraudulent activities. By requiring multi-factor authentication, it ensures that electronic payments are performed with a higher degree of security, thus protecting both consumers and merchants.
Industry Preparedness and Transitional Flexibility
Acknowledging the challenges related to industry readiness for the immediate application of SCA requirements across e-commerce platforms, the European Banking Authority (EBA) has permitted national authorities like the FCA to allow additional time for firms to comply. This approach is designed to minimise potential disruption to consumers and merchants by facilitating a more gradual implementation process.
The Managed Rollout Plan by UK Finance
In response to the FCA’s directive, UK Finance orchestrated an industry-wide plan to manage the rollout of SCA for CNP e-commerce transactions effectively. The detailed plan, which aims for full compliance by 14 March 2021, reflects a collaborative effort to ensure a seamless transition. The plan and its progress can be tracked through resources available on the UK Finance website.
FCA’s Stance on Enforcement and Compliance Timeline
While the statutory deadline of 14 September 2019 remains unchanged, the FCA has adopted a flexible enforcement approach. It has stated that it will not take enforcement action against firms for non-compliance with SCA requirements until 14 March 2021, provided that they demonstrate commitment and adherence to the managed rollout plan coordinated by UK Finance.
Who is Affected?
The FCA’s leniency on enforcement primarily benefits firms involved in CNP e-commerce transactions. This decision is contingent on these firms taking necessary measures as outlined in the UK Finance plan to fully implement SCA by the March 2021 deadline. Post this date, standard FCA supervisory and enforcement protocols will resume, ensuring full compliance.
Guidance for Firms
Firms are urged to engage with their respective trade associations and UK Finance to align with the industry-wide implementation strategy. They should continue to manage their fraud risks diligently and communicate transparently with consumers about the forthcoming changes to minimise any potential disruptions during the transition period.
Inclusion and Accessibility Considerations
The FCA underscores the importance of ensuring that the implementation of SCA does not adversely affect vulnerable groups or those with limited digital access. Firms are expected to develop authentication processes that are inclusive and accessible to all consumers, including those without access to mobile technology, thus ensuring equitable compliance across all customer segments.
Monitoring Compliance and Industry Collaboration
The FCA, in collaboration with UK Finance and other stakeholders, will actively monitor the industry’s compliance with the agreed milestones within the managed rollout plan. Regular meetings and forums are scheduled to ensure that the industry remains on track to meet the March 2021 deadline for full compliance.
Conclusion and Next Steps
Firms must review and adapt their current practices and systems to align with the FCA’s guidelines on SCA, ensuring they are fully prepared for the regulatory requirements by the stipulated deadline. They should also participate actively in industry discussions and workshops offered by the FCA and UK Finance to stay informed and compliant.
Key Takeaways and Actions
Strict Adherence to the Managed Rollout Plan: Firms must closely monitor their progress in line with the UK Finance coordinated plan and prepare for full SCA compliance by 14 March 2021.
Active Engagement: Maintain ongoing engagement with trade associations and UK Finance for continuous guidance and updates on the SCA implementation.
Transparency and Fraud Risk Management: Continue robust management of fraud risks and maintain clear communications with consumers to minimise potential disruptions.
Ensure Inclusive Authentication Methods: Implement authentication methods that cater to all user groups, providing alternatives for consumers without mobile access.
Collaborative Efforts: Work collectively with all stakeholders, including those not directly regulated by the FCA, to ensure a unified approach to the implementation of SCA.
Preparation for Full Compliance: Prepare systems and processes for strict adherence to SCA requirements post 14 March 2021, recognising that the leniency period is temporary and conditional.
This comprehensive guidance is designed to ensure that senior management within financial institutions can effectively navigate the complexities associated with transitioning to full compliance with SCA requirements, thereby enhancing the security of e-commerce transactions while minimising disruptions.