Search This Blog
Showing posts with label two factor authentication. Show all posts
Showing posts with label two factor authentication. Show all posts

Wednesday, 6 May 2020

FCA Delays SCA... Again

The UK's Financial Conduct Authority has again delayed its deadline for enforcing the implementation of 'strong customer authentication' in e-commerce transactions, until 14 September 2021. 

The FCA had already turned a blind eye to the threshold for applying SCA to contactless card transactions, in light of the role that contactless cards play in social distancing.

The FCA still expects firms to follow the industry implementation plan agreed with UK Finance, though that can now be extended to the new deadline.
Posted by Pragmatist 0 comments
Labels: , , , , , , , ,

Monday, 6 April 2020

FCA Turns Blind Eye To SCA For Contactless Card Payments

The introduction of 'strong customer authentication' (SCA) - also known as 'two factor authentication' or 'multi-factor authentication' for remote and electronic payment transactions has had a checkered history. Payment service providers should have been challenging customers to provide extra authentication details from 14 September 2019. But lack of industry preparation led the FCA (in line with the European Banking Authority and other EU national regulators) to state that it will not enforce the requirement until 14 March 2021, so long as PSPs are following an agreed industry plan to introduce the checks. In light of the COVID19 crisis, the FCA has now added:
"...we are very unlikely to take enforcement action if a firm does not apply strong customer authentication when the cumulative amount of transaction values has exceeded EUR 150 or five contactless transactions in a row. But this is only as long as the firm sufficiently mitigates the risk of unauthorised transactions and fraud, by having the necessary fraud monitoring tools and systems in place and taking swift action where appropriate."
Further time may also be allowed for introducing SCA for e-commerce payments generally, beyond 14 March 2021.

Meanwhile, the date for applying regulatory standards to secure communications amongst PSPs was also deferred from 19 September 2019 to 14 March 2020, yet some PSPs have not complied. The FCA is also letting them off the hook, where they are "facing further delays due to coronavirus:
"...we will consider on a case-by-case basis the appropriate further measures. In doing so, we will in particular consider:
  • firms’ security around authentication to access their online banking and when making payments;
  • their controls and processes to reduce fraud;
  • whether that impact is likely to be exacerbated given the current circumstances."
 
Posted by Pragmatist 0 comments
Labels: , , , , , , , ,

Wednesday, 14 August 2019

UK Delays Anti-fraud Measures For Banking And Payments

It seems payments legislators wrote checks the industry couldn't cash... The UK's Financial Conduct Authority has announced a delayed ‘migration plan’ for phasing in compliance with the Strong Customer Authentication requirements by March 2020 for internet banking and March 2021 for e-commerce transactions, instead of 14 September 2019. The FCA made a separate announcement for consumers.

Update: The FCA has also written to the CEOs of payment service providers it supervises, commending the plan from the trade body, UK Finance for meeting the deferred timeline. This will see SCA phased-in from Feb 2020 for merchants who are ready, with support from the card schemes in driving the adoption of the 3D Secure protocol (3DS 2.1/2) from March/September 2020.

This follows the guidance issued in June by the European Banking Authority that EU national regulators could agree specific migration plans (although I'm not sure the EBA expected industry-wide delays!).

The FCA says that it will not take enforcement action against payment service providers if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. 

At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA. 

It will be interesting to see how much progress is really made in the next 6 to 18 months...


Posted by Pragmatist 0 comments
Labels: , , , , , , , ,

Monday, 24 June 2019

EBA Gives Some Leeway On SCA

There has been increasing concern that the e-commerce world won't be ready for the introduction of "strong customer authentication" (or two-factor authentication) for electronic and remote payments on 14 September 2019. The checks apply to electronic and remote payments, which include payments online, as well via mobile devices, kiosks or other machines. It is feared many aren't aware of the new checks or the potential that checks will lead to failed or abandoned transactions, causing a hit to retailers' and payment service providers' revenues. The European Banking Authority now says local financial regulators may provide limited additional time to payment service providers to introduce compliant processes “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users" on that date. 

Specifically, the PSPs must have agreed a migration plan with their regulator and execute it "in an expedited manner." The regulator should monitor the execution of the plans "to ensure swift compliance..." 

The opinion also contains tables listing the types of features that will (or, in marginal cases, will not) constitute compliant elements for the purpose of SCA (two of either "inherence", "possession" or "knowledge" - i.e. what the customer is, what the customer possesses, or what the customer knows).

There is also guidance on how to satisfy the additional requirements for "dynamic linking" (to ensure the SCA elements link the transaction to an amount and the specified payee when initiating the transaction) and that the SCA elements be independent of each other.

The EBA issued an earlier opinion and a Q&A on how all this applies, but it remains to be seen how many retailers are aware of the new requirements at all, let alone the potential impact on customer experience and 'conversion' (customers dropping out at the payment step when asked to complete one or more additional authentication steps).

Whether payments are affected depends on whether PSD2 applies - some may be out of scope based on currency or location, while others may be within the scope of PSD2 but excluded. There is then a question whether the transaction is interpreted to be one caught by the SCA requirement. Is it remote or electronic and initiated by the payer (rather than being a 'merchant initiated transaction')? Even transactions that are in scope may not be caught if the issuer (not the merchant or acquirer) of the payment instrument/account applies any of the potential exemptions:
    Low-value transactions: up to €30 per transaction (limit of five separate transactions or €100);
    Recurring transactions: e.g. subscriptions for the same amount and payee (SCA applied to the first transaction);
    Whitelisted: payers can add payees to a whitelist of trusted beneficiaries with the issuer, but payees can't request this;
    Corporate payment processes: dedicated process for non-consumers, approved by the regulator (member states may exclude micro-enterprises as consumers);
    Contactless: up to €50 (limit of five separate transactions or €150 without an SCA check);
    Unattended terminals: only for paying transport fares or parking fees;
    Low-risk of fraud: as determined by the issuer, depending on its average fraud levels for the relevant acquirer (not by merchant/channel), with different limit for cards and credit transfers.
The FCA will apply the SCA standards in the UK even if Brexit occurs.

Posted by Pragmatist 19 comments
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)