Act now: get SCA compliant by 14 March

View in browser
financial conduct authority

Act now: get SCA compliant by 14 March

The Strong Customer Authentication (SCA) online banking adjustment period is ending on 14 March 2020.  

Account service payment service providers (ASPSPs) and third-party providers (TPPs) must have systems compliant with the Payment System Regulations 2017 (PSRs 2017) and the regulatory technical standards on SCA (SCA-RTS) in place by the end of the adjustment period. After 14 March 2020, failure to comply with the requirements for SCA and identification will be subject to full FCA supervisory and enforcement action as appropriate. 

Below we’ve explained the requirements on ASPSPs and TPPs from the 14 March 2020. 

ASPSPs

From 14 March 2020, all ASPSPs must: 

  • have in place a PSD2-compliant way to provide TPPs with access to account data and payment functionality in line with Article 31 of the SCA-RTS. This is either through: 
    • a dedicated interface, typically based on application programming interface (API) standards. They should also have a contingency mechanism in place, unless they have received an exemption from the FCA before 14 March 2020; or
    • a modified customer interface (MCI).
  • ensure they comply with all relevant requirements under the SCA-RTS, including Article 30 for all interfaces and Articles 32 and 33 for those that develop dedicated interfaces. Those requirements include an obligation to ensure that their interfaces enable TPPs to identify themselves using eIDAS certificate.

ASPSPs can also enable TPPs to voluntarily use a certificate obtained from a provider of an API programme, such as the Open Banking Implementation Entity, so long as that provider only issues certificates to TPPs that have enrolled on the API programme with an eIDAS certificate. The provider of the API programme should continue checking, on behalf of the ASPSP, the status of the TPP’s eIDAS certificate with the Qualified Trust Service Provider (QTSP). 

Please see the ‘Strong Customer Authentication’ page on our website for more information.

TPPs

From the 14 March 2020, all TPPs (firms providing account information services and/or payment information services) must:  

  • have eIDAS certificates.

TPPs can voluntarily use a certificate obtained from a provider of an API programme, so long as they have used an eIDAS certificate to enrol on the API programme. The provider of the API programme should continue checking, on behalf of the ASPSP, the status of the TPP’s eIDAS certificate with the QTSP.

Please see the ‘Strong Customer Authentication’ page on our website for more information.