FCA adapts its approach to SCA requirements
Published on 8th Apr 2020
While reiterating the importance of strong customer authentication in tackling a rising risk of fraud, the FCA is taking a constructive approach in light of the challenges posed by the coronavirus.
Criminals are exploiting the Covid-19 pandemic to scam people in a variety of ways and, according to the National Crime Agency, this is only likely to increase. The Financial Conduct Authority (FCA) has been quick to warn about schemes aimed at individuals, such as financial data "phishing" attempts, or bank payment frauds, and expects firms during these difficult times to protect consumers from risk. This is highlighted in the regulator's Business Plan 2020/21.
The FCA says that payment and retail banking firms must continue to monitor their fraud rates and take swift action if they see their fraud rates rising, or new patterns of fraud. A key tool to combat fraud is the use of strong customer authentication (SCA). However, the challenges thrown up by Covid-19 are leaving many firms struggling to adopt SCA. In this Insight, we look at the FCA's expectations and the changes it has made to assist firms with SCA implementation.
In our previous Insight, we discussed the increase in the contactless upper limit from £30 to £45 in an attempt to tackle the spread of Covid-19. With issuers now ready to receive higher transactions and infrastructure changes also well advanced, reports indicate that the rollout is going well for retailers that are making the change at this stage (primarily supermarkets, convenience stores and home improvement stores).
In further support of this, the FCA has relaxed its approach to SCA for contactless payments confirming that it is "unlikely to take enforcement action if a firm does not apply strong customer authentication when the cumulative amount of transaction values has exceeded EUR 150 or five contactless transactions in a row". This means that step ups to PIN should be less frequent, even with the higher contactless limit.
However, this is subject to a strict proviso – the firm must sufficiently mitigate the risk of unauthorised transactions and fraud by having the necessary fraud monitoring tools and systems in place, and must take swift action where appropriate.
Under the FCA / UK Finance 'managed roll-out', the e-commerce industry has until 14 March 2021 to fully implement SCA, with certain milestones that need to be met ahead of that date. The FCA has confirmed that it will work closely with the industry to agree any changes to the milestones and timelines that may be needed as a result of the impact of Covid-19.
Many firms are struggling to meet the SCA requirements for online banking as a result of Covid-19. These requirements have applied since 14 September 2019 (with an adjustment period until 14 March 2020). Where firms are facing further delay, the FCA has stated that it will consider on a case-by-case basis what appropriate further measures are required, taking into account:
- firms’ security around authentication to access their online banking and when making payments;
- firms' controls and processes to reduce fraud; and
- whether that impact is likely to be exacerbated given the current circumstances
Firms should stay abreast of any further announcements relating to the FCA's approach to SCA as the regulator keeps the situation under review.