On 28 January 2021, the FCA published a consultation (CP21/3) on the proposed changes to its onshored Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication (SCA-RTS) and its Payment Services and Electronic Money Approach Document (Approach Document). The stated objective of the FCA’s review is removing barriers to the adoption of open banking and supporting innovation and competition in the payments and e-money sector. As such, the FCA’s proposals are expected to be broadly welcomed by the industry, albeit with varying support and impact across the payments ecosystem participants depending on their type and business models.
Several aspects of the current rules, based on the EBA’s SCA-RTS, have long been criticised for being marred by compromises which have led to excessive friction in payments and customer journeys. The FCA’s proposed ‘fixes’ to those rules, if adopted, will mark a significant departure from the EU regulatory standards set out in the EBA’s SCA-RTS. So is the FCA getting the balance right?
90-day re-authentication exemption
Currently, a payment service provider (PSP) is allowed not to apply SCA when the customer accesses their payment account information online, provided that the SCA is performed when customer accesses (including via TPP) such account information for the first time and at least every 90 days thereafter.
TPPs have long complained about the damage caused to their services by the 90-day re-authentication requirement. The FCA notes that 90-day re-authentication requirement has turned out to be burdensome, creating friction in user experience and hindering open banking services uptake. In practice, this means that the customer’s use of TPP service is often continuously interrupted by the need to re-authenticate with each of their linked account providers at different times, in order to gain access to up-to-date account data via TPP.
The FCA’s proposals aim to alleviate these issues. The FCA proposes that:
Changes to requirements for access interfaces
Currently, ASPSPs are required to establish interfaces through which TPPs can access customer accounts, with an option to enable access via: (a) a dedicated interface (typically, using APIs); or (b) a modified customer interface (MCI) (typically, via their existing online banking platform).
The FCA notes that access via MCIs has proven challenging for TPPs, as they do not have the technology or, even if they do, they have to make considerable adjustments to their systems to access each account provider’s MCIs. On the other hand, dedicated interface APIs are typically built to the same standard and are more secure (only including information which account providers are required to share).
The FCA proposes that ASPSPs will be required to establish dedicated interfaces (i.e. will no longer have an option to offer access via an MCI) for the following types of accounts:
‘Payment accounts’ falling within PAR encompass accounts which have all of the following functionality: placement of funds, withdrawal of cash and execution and receipt of payments to and from third parties, including credit transfers. The range of accounts subject to mandated use of dedicated interfaces will therefore be narrower than the ‘payment accounts’, which are subject to the TPP access requirements generally (i.e. ‘payment accounts’ falling within The Payment Services Regulations 2017). However, SME accounts and credit card accounts are also captured by the mandated dedicated interface requirement. Accounts offered by small payment institutions, small electronic money institutions and overseas firms operating under the temporary permissions regime (TPR) or supervised run-off regime (SRO) will, however, be exempt from the new requirements.
There will be significant costs associated with the affected firms moving to the use of mandated dedicated interfaces. If the FCA’s proposed changes are adopted, firms will be given 18 months from the date the new rules are published to implement the requirement. However, the FCA has not yet provided an indicative timeline for publication of the new rulesa.
The FCA’s apparent aim to impose a mandated dedicated interface requirement only on ‘certain payment accounts where there is a reasonable prospect of TPP demand’.
The FCA’s proposals do not go as far as to re-define the scope of accounts subject to TPP access more generally. Anecdotally, there are account providers (such as limited use consumer or corporate card accounts) who have incurred significant time and cost implementing their TPP access interfaces with no demand for access to such accounts from TPPs. It remains to be seen if the FCA’s proposed changes will re-ignite the discussion on the scope of accounts which ought to be subject to TPP access requirements.
Interface technical specifications and testing facilities
Currently, ASPSPs must make a testing facility for their access interfaces available and provide interface technical specifications 6 months before new products and services are launched.
The FCA notes that this requirement was necessary to implement TPP access requirements in a live environment when PSD2 came into force. Since then, this requirement has acted as a barrier for account providers leading to delays or in some cases cancellations of launches of new products and services.
The FCA now proposes that such interface technical specifications and testing facility will have to be made available to TPPs no later than the launch of a product or service.
Currently, those ASPSPs who have chosen to allow access via a dedicated interface, must adapt their existing consumer interface (known as fall back interface) for TPP use in case the dedicated interface becomes unavailable. ASPSPs can request an exemption from having to set up a fallback interface if they’ve had a fully functioning dedicated interface for 3 months before their application for exemption.
The FCA proposes that the requirement for setting up a fallback interface will now apply 6 months after the launch date of the interface. This will allow firms time to develop the fallback interface or request an exemption.
Fallback interface exemption for overseas firms
Overseas firms operating in the UK within the temporary permissions regime (TPR) or supervised run-off (SRO) regime are, subject to some exceptions, required to comply with the UK requirements applicable to UK firms (including the SCA-RTS). Some of those firms would have obtained an exemption from a requirement to set up a fallback interface from their home state regulator. However, since the end of the post-Brexit transition period (31 December 2020), such home state exemption has become ineffective in the UK and an exemption from the FCA is required.
The FCA proposes to deem ASPSPs within the TPR or SRO, who were, at 11pm on 31 December 2020, exempt from setting up the fallback interface by their home state authority, as having also been exempted by the FCA. This means that firms, whilst operating under the relevant temporary regime, will not have to seek an exemption from setting up a fallback interface from the FCA. They will, however, have to do so (if they want to rely on this exemption) when they apply to become authorised in the UK. The FCA cautions that it may, however, exercise its supervisory powers over the overseas firm within the TPR or SRO if it identifies issues with the firm’s dedicated interface.
Further to the FCA’s proposals, the single and cumulative contactless payment exemption limits have increased from £45 to £100 and from £130 to £300 respectively. These changes came into force on 3 March 2021 and the FCA provided feedback on the responses received in its Policy Statement (PS21/2).
The respondents were generally supportive of the increased limits, however some have raised concerns that the change could result in an increase in fraud and associated crime. Whilst the raised thresholds enable the industry to raise the contactless limits in line with changing consumer behaviour and merchant expectations, the FCA notes that it would be up to each firm to decide whether and how much to raise limits in practice based on its fraud controls and monitoring.
Changes to the Approach Document on SCA
The FCA has also proposed changes to its guidance to UK firms on its expectations for compliance with requirements for SCA in the Approach Document, for the most part aligning with the clarifications and opinions published by the EBA such as its Q&A responses:
(i) static card data displayed on the card, such as card verification number (CVV) and payment account number (PAN), does not constitute a valid knowledge or possession factor; and
(ii) behaviour biometrics can constitute inherence factor and that and that inherence ‘relates to physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these’, and includes keystroke dynamics but excludes other individual properties, such as spending patterns.
The FCA’s consultation closed on 30 April 2021, following which the FCA will publish finalised SCA RTS and Approach Document.
Sign up for our newsletter and get the latest to your inbox.