Revised Payment Services Directive (PSD2) Update

View in browser
financial conduct authority

Revised Payment Services Directive Update

Regulatory Technical Standards on Strong Customer Authentication (SCA-RTS)

On 14 September, the Regulatory Technical Standards on Strong Customer Authentication (SCA-RTS) came into force.

These rules are set in the SCA-RTS and the Payment Services Regulations 2017 (PSRs 2017). We have also published guidance on our website.

The new rules require all banks and other account servicing firms to share customer data, with the customer's consent, with regulated ‘third party providers’. This is a significant step for the future of open banking.

In June, the European Banking Authority published an Opinion on SCA, where they accepted that the FCA and other National Competent Authorities may give some firms extra time to implement SCA. We provided a response to the EBA, which can be found here.

The SCA-RTS also introduces new anti-fraud standards (known as strong customer authentication or SCA). These are intended enhance the security and limit fraud. Unless an exemption applies, SCA is required when a payer;

  • Initiates an electronic payment transaction
  • Accesses their payment account online
  • Carries out any action remotely that may imply a risks of payment fraud

We expect firms have developed SCA solutions that work for all groups of customers. This means that you may need to provide several different methods of authentication for your customer. This includes methods that do not rely on mobile phones to cater for customers who will not have or are unable to use a mobile phone. If your customers do not have these options in place we expect you to discuss this with us as a priority.

We also expect firms to implement SCA in a way that minimises disruption to, and ensures good outcomes for, consumers. As a result, we have agreed to give firms extra time to implement the requirements in the following areas;

  • SCA for e-commerce – 18-month industry plan to implement SCA for online shopping.
  • SCA for online banking – 6-month adjustment period to implement SCA for online banking.

During this time, we still expect firms to take appropriate steps to manage their fraud risks.

If firms have any questions they should speak to their trade association and UK Finance (for e-commerce only) to get more information on the agreed implementation plans.

New reports and notifications are now available, click on the Reporting requirements and Notifications under PSD2 links to see the list of reports and notifications available.

E-money firms should note their version of REP018 and REP020 is available.  

More information on our approach to SCA can be found here.