On Monday, March 14, new strong customer authentication (SCA) rules will apply in the U.K. and merchants that didn’t implement these new rules risk customer purchases being declined.
SCA is a new set of rules that the Financial Conduct Authority adopted in 2019 to help protect consumers from fraud when they are shopping online. The deadline for retailers to fully support SCA has been delayed on a few occasions and the final deadline is due on March 14, 2022.
The changes will mean that when customers buy something online, they will be asked to verify their identity, for example, through their banking app or a one-time passcode via text or phone call.
The focus of the implementation has been on 3D Secure, a technology designed to facilitate the authentication of card-not-present (CNP) transactions, according to U.K. Finance, a trade group for the banking and finance industry. But other SCA solutions are also available in the market, such as Apple Pay or Google Pay.
Companies have been preparing for the last two years to implement these rules. Since January 2022, some card issuers started to decline some noncompliant transactions, but from March 14, all noncompliant transactions will be declined. The FCA expects most merchants to be ready to process SCA-compliant transactions by the deadline.
“We support and welcome the implementation of SCA solutions which protect consumers while minimizing the potential for disruption to customers and merchants,” the FCA said in an announcement.
There are two important exemptions to the SCA to help merchants and limit the risk of consumer disruption, the SCA reauthentication exemption and the contactless exemption.
In November 2021, the FCA adopted a new regulatory technical standard on SCA (RTS-SCA) to remove barriers in the payment sector, particularly for open banking. These rules included a new exemption which, if adopted by account servicing payment service providers (ASPSPs), means that customers will not need to reauthenticate when they access their account information through a third-party provider (TPP). Instead, TPPs will be required to obtain explicit consent from customers at least every 90 days.
However, ASPSPs will have to wait until March 26 to apply for this exemption, as this is the date when the changes to the regulatory technical standards will come into effect. The FCA expects the widespread adoption of this exemption by Sept. 30. However, up until that date, the FCA will not object if TPPs don’t reconfirm customer consent, provided that SCA is applied at least every 90 days during that period. This limits the risk of consumer disruption and ensures that either SCA has been applied or re-consent obtained in any 90-day period.
The second exemption is for contactless payments. According to article 11 of the RTS-SCA, issuers may choose not to apply SCA to contactless point of sales transactions where some conditions are met. For instance, the amount of payment transactions does not exceed certain thresholds.
The new SCA rules, which aim to reduce fraud in payment transactions, come into effect a few days after Pay.UK, the organization that operates most of the payments infrastructure in the U.K., announced a new tool for use in the fight against authorized push payments (APP) fraud. The new “logical data model” serves as a foundation for categorizing relevant customer data that enables both banks involved in processing a payment (the sending bank and receiving bank) to easily identify a fraudulent transaction.
According to Pay.UK, this model has been designed to use in existing payment platforms, but it will also serve as the basis for a long-term approach to how the industry standardizes consumer data.