What's Next for the SCA and TPP Access Rules?

May 4, 2021

On 28 January 2021, the FCA published a consultation (CP21/3) on the proposed changes to its onshored Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication (SCA-RTS) and its Payment Services and Electronic Money Approach Document (Approach Document). The stated objective of the FCA’s review is removing barriers to the adoption of open banking and supporting innovation and competition in the payments and e-money sector. As such, the FCA’s proposals are expected to be broadly welcomed by the industry, albeit with varying support and impact across the payments ecosystem participants depending on their type and business models.

Several aspects of the current rules, based on the EBA’s SCA-RTS, have long been criticised for being marred by compromises which have led to excessive friction in payments and customer journeys. The FCA’s proposed ‘fixes’ to those rules, if adopted, will mark a significant departure from the EU regulatory standards set out in the EBA’s SCA-RTS. So is the FCA getting the balance right?

90-day re-authentication exemption

Currently, a payment service provider (PSP) is allowed not to apply SCA when the customer accesses their payment account information online, provided that the SCA is performed when customer accesses (including via TPP) such account information for the first time and at least every 90 days thereafter.

TPPs have long complained about the damage caused to their services by the 90-day re-authentication requirement. The FCA notes that 90-day re-authentication requirement has turned out to be burdensome, creating friction in user experience and hindering open banking services uptake. In practice, this means that the customer’s use of TPP service is often continuously interrupted by the need to re-authenticate with each of their linked account providers at different times, in order to gain access to up-to-date account data via TPP.

The FCA’s proposals aim to alleviate these issues. The FCA proposes that:

  • an account servicing payment service provider (ASPSP) is allowed not to apply SCA when account information is accessed via an account information service provider (AISP), provided that the SCA was applied at least once before when AISP was accessing such information (e.g. when the customer first connects their account to the AISP service);
  • where the customer accesses their account information directly with their ASPSP, the 90-day re-authentication requirement still applies;
  • where AISP accesses accounts without a specific request of the user, they will have to reconfirm customer’s explicit consent every 90 days.

Changes to requirements for access interfaces

Currently, ASPSPs are required to establish interfaces through which TPPs can access customer accounts, with an option to enable access via: (a) a dedicated interface (typically, using APIs); or (b) a modified customer interface (MCI) (typically, via their existing online banking platform).

The FCA notes that access via MCIs has proven challenging for TPPs, as they do not have the technology or, even if they do, they have to make considerable adjustments to their systems to access each account provider’s MCIs. On the other hand, dedicated interface APIs are typically built to the same standard and are more secure (only including information which account providers are required to share).

The FCA proposes that ASPSPs will be required to establish dedicated interfaces (i.e. will no longer have an option to offer access via an MCI) for the following types of accounts:

  • consumer ‘payment accounts’ falling within The Payment Accounts Regulations 2015 (PAR);
  • SME ‘payment accounts’ falling within PAR (if they were held by a consumer); and
  • consumer and SME credit card accounts.

‘Payment accounts’ falling within PAR encompass accounts which have all of the following functionality: placement of funds, withdrawal of cash and execution and receipt of payments to and from third parties, including credit transfers. The range of accounts subject to mandated use of dedicated interfaces will therefore be narrower than the ‘payment accounts’, which are subject to the TPP access requirements generally (i.e. ‘payment accounts’ falling within The Payment Services Regulations 2017). However, SME accounts and credit card accounts are also captured by the mandated dedicated interface requirement. Accounts offered by small payment institutions, small electronic money institutions and overseas firms operating under the temporary permissions regime (TPR) or supervised run-off regime (SRO) will, however, be exempt from the new requirements.

There will be significant costs associated with the affected firms moving to the use of mandated dedicated interfaces. If the FCA’s proposed changes are adopted, firms will be given 18 months from the date the new rules are published to implement the requirement. However, the FCA has not yet provided an indicative timeline for publication of the new rulesa.

The FCA’s apparent aim to impose a mandated dedicated interface requirement only on ‘certain payment accounts where there is a reasonable prospect of TPP demand’.

The FCA’s proposals do not go as far as to re-define the scope of accounts subject to TPP access more generally. Anecdotally, there are account providers (such as limited use consumer or corporate card accounts) who have incurred significant time and cost implementing their TPP access interfaces with no demand for access to such accounts from TPPs. It remains to be seen if the FCA’s proposed changes will re-ignite the discussion on the scope of accounts which ought to be subject to TPP access requirements.

Interface technical specifications and testing facilities

Currently, ASPSPs must make a testing facility for their access interfaces available and provide interface technical specifications 6 months before new products and services are launched.

The FCA notes that this requirement was necessary to implement TPP access requirements in a live environment when PSD2 came into force. Since then, this requirement has acted as a barrier for account providers leading to delays or in some cases cancellations of launches of new products and services.

The FCA now proposes that such interface technical specifications and testing facility will have to be made available to TPPs no later than the launch of a product or service.

Currently, those ASPSPs who have chosen to allow access via a dedicated interface, must adapt their existing consumer interface (known as fall back interface) for TPP use in case the dedicated interface becomes unavailable. ASPSPs can request an exemption from having to set up a fallback interface if they’ve had a fully functioning dedicated interface for 3 months before their application for exemption.

The FCA proposes that the requirement for setting up a fallback interface will now apply 6 months after the launch date of the interface. This will allow firms time to develop the fallback interface or request an exemption.

Fallback interface exemption for overseas firms

Overseas firms operating in the UK within the temporary permissions regime (TPR) or supervised run-off (SRO) regime are, subject to some exceptions, required to comply with the UK requirements applicable to UK firms (including the SCA-RTS). Some of those firms would have obtained an exemption from a requirement to set up a fallback interface from their home state regulator. However, since the end of the post-Brexit transition period (31 December 2020), such home state exemption has become ineffective in the UK and an exemption from the FCA is required.

The FCA proposes to deem ASPSPs within the TPR or SRO, who were, at 11pm on 31 December 2020, exempt from setting up the fallback interface by their home state authority, as having also been exempted by the FCA. This means that firms, whilst operating under the relevant temporary regime, will not have to seek an exemption from setting up a fallback interface from the FCA. They will, however, have to do so (if they want to rely on this exemption) when they apply to become authorised in the UK. The FCA cautions that it may, however, exercise its supervisory powers over the overseas firm within the TPR or SRO if it identifies issues with the firm’s dedicated interface.

Contactless payments

Further to the FCA’s proposals, the single and cumulative contactless payment exemption limits have increased from £45 to £100 and from £130 to £300 respectively. These changes came into force on 3 March 2021 and the FCA provided feedback on the responses received in its Policy Statement (PS21/2).

The respondents were generally supportive of the increased limits, however some have raised concerns that the change could result in an increase in fraud and associated crime. Whilst the raised thresholds enable the industry to raise the contactless limits in line with changing consumer behaviour and merchant expectations, the FCA notes that it would be up to each firm to decide whether and how much to raise limits in practice based on its fraud controls and monitoring.

Changes to the Approach Document on SCA

The FCA has also proposed changes to its guidance to UK firms on its expectations for compliance with requirements for SCA in the Approach Document, for the most part aligning with the clarifications and opinions published by the EBA such as its Q&A responses:

  • Dynamic linking. For electronic remote payment transactions, customer’s authentication of a payment instruction must be linked to a specific payee and a specific amount. This requirement is problematic where the final amount is not known in advance, for example with online grocery shopping where products are unavailable or substituted. As per the FCA’s current guidance, SCA should be reapplied following the point of sale if the final amount is higher than the price the customer originally authenticated. The FCA now proposes that payer’s PSP (card issuer) will no longer have to re-apply SCA where the final amount is up to 20% higher than originally authorised. In practice, issuers will likely have to spend time and cost to implement a solution that allows them to recognise that the final amount is 20% or more higher than the originally authenticated amount and, where this is the case, to request SCA from the customer again.
  • Liability for fraudulent or unauthorised transactions. The FCA clarifies that payee’s PSP (e.g. acquirer) should be liable where it triggers an exemption and the transaction is carried out without applying SCA. This means that, other than where the payer has acted fraudulently, the payer’s PSP (e.g. issuer) would refund the customer and would then be entitled to be reimbursed by the payee’s PSP.
  • SCA elements. The FCA clarifies that:
  • (i) static card data displayed on the card, such as card verification number (CVV) and payment account number (PAN), does not constitute a valid knowledge or possession factor; and
    (ii) behaviour biometrics can constitute inherence factor and that and that inherence ‘relates to physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these’, and includes keystroke dynamics but excludes other individual properties, such as spending patterns.

  • Transaction risk analysis (TRA) exemption calculation. The FCA clarifies that the calculation of the fraud rate for the TRA exemption should only include fraudulent transactions for which the PSP is solely liable. This excludes fraudulent transactions where another PSP was liable or those outside the scope of the SCA, such as merchant-initiated transactions. This requirement is different from fraud reporting under REP017.
  • Corporate exemption. The FCA clarifies that corporate exemption is applicable to all cards, whether physical or virtual, where used in a secure corporate payment process.
  • Authentication code. The FCA confirms that authentication elements the customer uses at the time they access their payment account online (including via a mobile) may be re-used if they then initiate a payment within the same online session, meaning that only one additional authentication element would be required to initiate the payment.
  • Merchant-initiated transactions. The FCA confirms that such transactions (where a payer has given a mandate to the payee for a transaction, or series of transactions, made through a card or other payment instrument) are outside the scope of the SCA. This would cover, for example, continuous payment authorities such as a subscription payments for a streaming service.

Next Steps

The FCA’s consultation closed on 30 April 2021, following which the FCA will publish finalised SCA RTS and Approach Document.