The Financial Conduct Authority (FCA), a UK financial regulator, will delay enforcement of EU regulations requiring implementation of the Strong Customer Authentication (SCA) regulations, the organization said in a statement. The decision comes after the European Banking Authority (EBA) decided to grant an 18 month extension to the national adoption requirement. The original implementation deadline is September 14, 2019.
The SCA will require online shoppers to provide additional identity verification when they make a purchase of $30 or more. Acceptable verification methods will include one-time passwords and biometric options such as fingerprints or voice recognition.
Although the new SCA requirements were made known in 2015, the EBA granted an extension due to fears merchants and payment providers are not ready for the switch. Ultimately, the FCA shared these concerns and made the decision to avoid creating payments friction that could have cost retailers substantial revenue loss.
Jonathan Davidson, Executive Director for Supervision – Retail and Authorisations at FCA, said:
‘The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster,” said Jonathan Davidson, FCAs Executive Director for Supervision – Retail and Authorisations in a statement. “While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction.”
In addition to the extension, the EBA released a statement clarifying the responsibilities of the retail ecosystem. Specifically, it emphasized that only non-compliant actors that can prove efforts to move towards compliance will be granted flexibility for delays in adoption.
“[Additional time] is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA,” the statement said. “This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner.”
The SCA is part of a series of policy and regulatory initiatives by the EU, such as GDPR legislation, implemented with the goal of increasing the security and privacy of online consumers.