The UK’s Financial Conduct Authority (FCA) has confirmed an 18-month delay to the introduction of Secure Customer Authentication (SCA) rules – one of the most important legislations affecting the financial and retail sectors – in a bid to give firms more time to prepare.
In our increasingly digitalised world and with the explosion in cybercrime, identity theft and fraud, online payments must look to set a standard that meets the expectations of the consumer.
According to data published by the FCA, reports of cyber incidents at financial services firms increased 1,000 per cent in 2018, and this figure is only expected to rise with the growth in mobile payments.
As part of the Second European Payment Services Directive (PSD2), the SCA requirement stipulates stronger payment security standards for higher value transactions based on multifactor authentication, increasing the security of electronic payments.
Responding to the announcement, Andrew Cregan, Payments Policy Advisor at the British Retail Consortium, welcomed the plan, saying: “The decision by the FCA avoids a payments cliff-edge, whereby 25-30% of e-commerce transactions made online after 14th September would have been at risk of failing as a result of the new laws. The 18 month, phased implementation of Strong Customer Authentication should allow retailers and banks time to put in place the necessary technical fixes required, and minimise any disruption in online transactions.
He continues: “The BRC supports the implementation of Strong Customer Authentication, which will strengthen the protections that customers have in their digital purchases. We are working closely with our members on this issue, however it is vital that the FCA keeps up the pressure on banks and payment service providers to deliver solutions in a time to avoid another cliff-edge in 18 months for retailers and other businesses on the front line.”
However, not everyone is so welcoming. Despite fraud losses on UK-issued cards increasing 19% to £671.4 million last year, the FCA has bowed to pressure applied by the financial services community in extending the deadline. Jason Tooley, Chief Revenue Officer at Veridium, highlights the unacceptable length of the delay and the misalignment of expectations when consumers are entitled to enhanced, secure digital experiences.
In response, more and more organisations daily are turning to a strategy of mobile and biometric based authentication in order to help support the required regulatory compliance.
Tooley comments: “It is disappointing to see such resistance from the financial services sector towards integrating Strong Customer Authentication into its services. Financial institutions and payment service providers have had nearly two years to prepare since the initial announcement, and there is no valid excuse for the delay in its enforcement apart from an unwillingness to participate. It would be interesting to understand the prioritisation of PSD2 Strong Customer Authentication as I’m aware that a number of financial services organisations viewed this as a business differentiator.”
Tooley says: “Whilst it is true that consumers will see minor changes to their day-to-day spending, the additional layer of security on higher value payments will enable consumers to benefit from safer and more innovative electronic payment services. The impact on consumers must not be overlooked by the lengthy delay in enforcement; Strong Customer Authentication will mean consumers are more confident when buying online – not act as a deterrent to sales as some have incorrectly suggested.”
Tooley continues: “There are technologies in the market which have the potential to alleviate the challenges posed by the regulation. True multifactor authentication solutions can facilitate financial services institutions enhancing consumer confidence and creating a secure experience whilst ensuring the customer has a frictionless user journey. Basing the digital authentication process on combining the customer’s own technology with an open biometric approach and true step-up intelligence, will allow financial institutions to meet the regulatory requirements sooner rather than later.”
Michal Kissos Hertzog, CEO, from digital bank Pepper adds: “With the delay of the ‘strong customer authentication’ regulation, many in the online payments and ecommerce sectors in the UK may be breathing a huge sigh of relief today. Yet there must be a realisation that online payments are changing all the time, and due to this, the value proposition and user experience must evolve constantly too, especially around ensuring it is safe and secure.”
Kissos adds: “The UK is now home to an on-demand economy where anything can be purchased at the click of a button, and while new regulations like the SCA can seem like a significant burden, I believe they can conversely act as an enabler. Today’s delay should really serve as a wakeup call. Instead of updating systems to be ready for the SCA by adopting better, faster and more agile technology, some have taken the ‘out of sight out of mind’ approach. However, implementing a digital core is crucial, as it enables any company to adapt, at speed, to consumer needs and changing regulations in an effective way.”