News

FCA relaxes authentication rules for payment transactions as contactless limit increases

Friday 3 April 2020 12:44 CET | News

The Financial Conduct Authority has updated its guidance on strong customer authentication to provide firms with more flexibility for not only contactless payments but also ecommerce and online banking, according to Linklaters.

Following the outbreak of Covid-19, UK Finance announced that plans to increase the limit for contactless card payments from GBP 30 to GBP 45 have been brought forward. Since 1 April 2020 retailers have started to accept contactless payments up to the new limit, although it will take time for the change to be rolled out across the UK.

A potential problem is that EU-wide security rules require payment service providers to apply strong customer authentication in certain scenarios to minimise fraud. For example, firms must apply SCA after:

  • the cumulative amount of transaction values has exceeded EUR 150, or
  • five contactless transactions in a row.

Having to authenticate yourself this regularly could slow down payment transactions and disincentivise some customers from using contactless at a time when health advice is to minimise contact and time spent in supermarkets, pharmacies, etc.

Therefore, the FCA has decided to offer some leeway for firms. In an update to its SCA webpage, the FCA has said that it is very unlikely to take enforcement action against firms if they choose not to apply SCA in the above scenarios.

However, to benefit from this regulatory forbearance, the FCA says that firms must mitigate the risk of unauthorised transactions and fraud.

SCA rules have applied since September 2019. However, a grace period was granted for SCA in relation to e-commerce card transactions until 31 March 2021 in the UK (and 31 December 2020 for the rest of the EU). This grace period is subject to firms meeting several milestones to demonstrate that they are moving towards full SCA compliance in the next year.

In its latest guidance, the FCA has suggested that some milestones may need to be moved as a result of Covid-19.

Banks and other payment account providers in the UK were also previously given a grace period, allowing them until March 2020 to apply SCA to online banking. Covid-19 may have delayed some firms’ preparations for this revised deadline. The

FCA has suggested it will consider some regulatory forbearance on a case-by-case basis. Again, this is likely to be subject to firms effectively mitigating the risk of fraud.

What happens next?

The European Banking Authority – which is responsible for overseeing the implementation of SCA across the EU – has issued a statement to say that the extended deadline for full SCA compliance remains unchanged for now, but that the EBA will continue to monitor events.

UK payment service providers looking to take advantage of the latest guidance from the FCA should ensure that they have appropriate alternative systems in place to monitor fraud. Firms can also expect further engagement from the FCA in relation to their SCA readiness which may feed into changes to milestone timelines.

More: Link


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: FCA, authentication, payments, contactless, strong customer authentication
Categories: Banking & Fintech | Payments General
Countries: United Kingdom
This article is part of category

Banking & Fintech