UK Finance sets out strong customer authentication implementation plan for e-commerce payments

In April, the UK’s Financial Conduct Authority extended again the deadline for the implementation of strong customer authentication in respect of e-commerce payments. UK Finance, which is leading the migration to SCA in the UK, has now published an implementation plan to ensure the market is ready this time. Whilst the FCA’s deadline is set for September 2021, the plan contemplates that all participants will be compliant and ready for testing by next May.

SCA requirements for the e-commerce industry

EU payments regulations require payment service providers to ensure strong customer authentication is carried out for certain types of payment transactions. For remote electronic payments, as well as requiring at least two independent types of authentication data from the payer, SCA requires the transaction to be “dynamically linked” to a specific amount and a specific payee. 

Implementing these requirements in the e-commerce industry has proved time-consuming and challenging, not least because it requires all participants in the payment chain – including e-merchants, gateways, acquirers and issuers – to have the relevant systems in place. Disruption caused by the pandemic has also not helped matters. 

Extensions of deadlines

Last October, the European Banking Authority extended the SCA deadline for e-commerce payments to December 2020. However, it has refused to respond to industry requests to go further.

The FCA, on the other hand, announced in April that it was pushing the deadline back to September 2021 as a result of the Covid-19 crisis, having already previously extended it to March 2021. It stressed, however, the need for the industry to have in place a detailed implementation plan for meeting this new deadline.

UK Finance implementation plan

UK Finance has been coordinating the development of such a plan, which it has now published. The plan provides for a phased implementation, with the intention of minimising disruption to consumers:

  • Phase 1 – Development (2020): The aim during this phase is to ensure all parties, and in particular e-merchants, have adopted certain security protocols, such as 3DSecure (a protocol designed for online card-based payments).
  • Phase 2 – Market Readiness (1 Jan – 31 May 2021): E-merchants and issuers are expected to complete implementation during this phase. 
  • Phase 3 – Full Ramp-up (1 Jun – 13 Sep 2021): This will be a period of testing and transition during which issuers will start checking randomly if e-commerce transactions are SCA compliant and “soft declining” those that are not. 

The FCA has said that after 14 September 2021 firms that fail to comply will be subject to “full FCA supervisory and enforcement action”.

Relaxations in relation to contactless payments and online banking

Aside from e-commerce, firms are already obliged to be fully compliant with SCA requirements. However, the FCA has indicated that it is currently taking a more relaxed approach to enforcement in respect of contactless payments and online banking, in light of current circumstances.