mtkang - stock.adobe.com

UK finance regulator gives extra time for companies to meet payment security rules

Financial Conduct Authority gives companies under its watch an extra 18 months to meet an EU payments security standard

The Financial Conduct Authority has given payments and e-commerce firms an extra 18 months to meet the European Union (EU)-wide Strong Customer Authentication (SCA) rules.

SCA, which is due to come into effect next month, is part of the EU’s Payment Services Directive 2 (PSD2). It means that any online payments worth over €30 would require two methods of authentication from the person making the payment, such as a password, biometic authentication such as a fingerprint, or having a phone that can identify them.

The FCA’s decision to extend the deadline comes after the European Banking Authority said more time was needed to implement SCA given the “complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers”.

Jonathan Davidson, executive director for supervision – retail and authorisations at the FCA, said: “The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves, so we have agreed a phased plan for their timely introduction.”

The FCA said it would not take enforcement action against firms that do not meet the requirements “where there is evidence that they have taken the necessary steps to comply with the plan”. It added that at the end of the 18-month extension, it “expects all firms to have made the necessary changes and undertaken the required testing to apply SCA”.

Jason Tooley, chief revenue officer at authentication software company Veridium, said it was disappointing to see resistance from the financial services sector to integrating SCA. “Financial institutions and payment service providers have had nearly two years to prepare since the initial announcement, and there is no valid excuse for the delay in its enforcement, apart from an unwillingness to participate,” he said. “It would be interesting to understand the prioritisation of PSD2 SCA as I’m aware that a number of financial services organisations viewed this as a business differentiator.

“While it is true that consumers will see minor changes to their day-to-day spending, the additional layer of security on higher-value payments will enable consumers to benefit from safer and more innovative electronic payment services.”

Read more about PSD2 and open banking

Read more on IT for financial services