FCA relaxes authentication rules for payment transactions as contactless limit increases
As concerns about COVID-19 spread, there has been an increased demand for socially distanced payments. First the UK payments industry increased the limit for contactless payments. Now the Financial Conduct Authority has updated its guidance on strong customer authentication to provide firms with more flexibility for not only contactless payments but also e-commerce and online banking.
Authenticating contactless payments
Increase in contactless limit
Following the outbreak of Covid-19, UK Finance announced that plans to increase the limit for contactless card payments from £30 to £45 have been brought forward. Since 1 April 2020 retailers have started to accept contactless payments up to the new limit, although it will take time for the change to be rolled out across the UK.
A potential problem is that EU-wide security rules require payment service providers to apply strong customer authentication in certain scenarios to minimise fraud. For example, firms must apply SCA after:
- the cumulative amount of transaction values has exceeded EUR 150, or
- five contactless transactions in a row.
Having to authenticate yourself this regularly could slow down payment transactions and disincentivise some customers from using contactless at a time when health advice is to minimise contact and time spent in supermarkets, pharmacies, etc.
Therefore, the FCA has decided to offer some leeway for firms. In an update to its SCA webpage, the FCA has said that it is very unlikely to take enforcement action against firms if they choose not to apply SCA in the above scenarios.
However, to benefit from this regulatory forbearance, the FCA says that firms must mitigate the risk of unauthorised transactions and fraud.
Authenticating online transactions
SCA rules have applied since September 2019. However, a grace period was granted for SCA in relation to e-commerce card transactions until 31 March 2021 in the UK (and 31 December 2020 for the rest of the EU). This grace period is subject to firms meeting several milestones to demonstrate that they are moving towards full SCA compliance in the next year.
In its latest guidance, the FCA has suggested that some milestones may need to be moved as a result of Covid-19.
Authenticating online banking
Banks and other payment account providers in the UK were also previously given a grace period, allowing them until March 2020 to apply SCA to online banking. Covid-19 may have delayed some firms’ preparations for this revised deadline. The FCA has suggested it will consider some regulatory forbearance on a case-by-case basis. Again, this is likely to be subject to firms effectively mitigating the risk of fraud.
Listen to our podcast on the response to Covid-19
For more on the regulatory response to Covid-19, listen to our latest monthly payments podcast which is available on our payments webpage and via Apple Podcasts and Spotify.
What happens next?
The European Banking Authority – which is responsible for overseeing the implementation of SCA across the EU – has issued a statement to say that the extended deadline for full SCA compliance remains unchanged for now, but that the EBA will continue to monitor events.
UK payment service providers looking to take advantage of the latest guidance from the FCA should ensure that they have appropriate alternative systems in place to monitor fraud. Firms can also expect further engagement from the FCA in relation to their SCA readiness which may feed into changes to milestone timelines.