UK firms to get more time to prepare for EU security measures for online payments

Reports have suggested around 30% of UK online shopping transactions could fail if planned EU rules for strong customer authentication were enforced from September as planned. The FCA has now decided to allow extra time for the e-commerce industry to roll out the technology needed to apply strong customer authentication. Payment firms and online retailers should align their plans to the new timeframe and monitor how other EU regulators will respond.

Strong customer authentication delayed 

What is strong customer authentication?

Strong customer authentication is intended to increase the security of payments and reduce the risk of fraud. It involves the authentication of electronic payments using multiple factors. At least two out of three of the following elements are needed:

  • knowledge (something only the user knows, like a password)
  • possession (something only the user has, like credit card)
  • inherence (something the user is, like a fingerprint).

The requirements were introduced by the EU’s revised Payment Services Directive (PSD2) and are due to take effect on 14 September 2019.

What has changed?

The payments industry and e-merchants have been gearing up to the September deadline. However, in June the European body overseeing implementation of the rules acknowledged that not all e-merchants were ready for the new standards and suggested that regulators could introduce a grace period before enforcing the rules, and the UK has now taken up the mantle.

What has the FCA announced?

In a statement, the FCA says that it has agreed with the industry an 18-month delay to strong customer authentication. The strict legal deadline in September cannot be changed but the FCA says that it does not intend to enforce the rules during the extension. This gives card issuers, payments firms and online retailers the new deadline of March 2021 to implement their enhanced security processes.

In a separate update on strong customer authentication, the FCA has indicated that the impact of related changes to online banking will also be delayed from 14 September 2019 by six months.

Why is more time needed?

There had been reports that the September deadline would not be met by all participants in the payments chain. This may in part be down to firms trying to implement nascent technology. For example, applying biometrics to authenticate a customer’s identity requires building more sophisticated technology than other types of authentication, such as a password or possession of a credit card, and this may have slowed implementation efforts.

The FCA says that, while strong customer authentication measures will reduce fraud, it has agreed the “phased plan for their timely introduction” in order to avoid “material disruption to consumers”.

What happens next?

The FCA is one of the first to set an extended timetable. Other EU regulators – such as the Central Bank of Ireland and Bank of Italy – have indicated that they will extend the deadline but so far without publicly fixing new delivery dates.

The European Banking Authority said that it would set a long-stop date by which time all national grace periods must end, although it is not clear yet what that will be. At this stage it is also not clear to what extent EU regulators will harmonise their approach, leading to the potential for a piecemeal implementation of strong customer authentication across the EU, at least until the end of any long-stop deadline.