A legal checklist for businesses to thrive in the SCA grace period 

Richard Buckley, legal counsel at Modulr, warns that despite a delay to SCA enforcement, businesses must act now to get ahead should the FCA come knocking.

While the Financial Conduct Authority (FCA) is partially delaying strong customer authentication (SCA) enforcement, businesses must not become complacent and must use this time wisely to prepare for operational and legal compliance. 

A torrent of trade publications and industry bodies have made clear that the industry is not ready to comply with SCA under PSD2, come September 14, 2019 deadline. The European Banking Authority (EBA) finally addressed this reality when it issued its Opinion in late June accepting the lack of the industry’s preparedness which opened the way to allow the FCA to give more time for firms to implement SCA.  

Lack of SCA readiness is ‘poison in the water’https://t.co/SVcMaKoHcr#SCA #payments #PSD2 #regulation #SCA #security #paytech pic.twitter.com/GDf717Maqb

— PaymentEye (@PaymentEye) June 25, 2019

A Financial Times article recently revealed that there was a fear that SCA would “hamstring online sales” without a delay. While following the EBA’s Opinion, a bobsguide article highlighted the divergence of national competent authorities (NCAs) across Europe and outlined that the payment chain, to which SCA will be applied, is not ready to comply by September 14. 

Elsewhere the Emerging Payments Association (EPA) found that while 75% of issuers would be compliant with SCA by September 14, they would not be operationally ready to implement requirements. According to the same report, issuers expected the number of transactions declined to increase from today’s 3% to between 20 and 30%.  

That’s because 70% of issuers believe SCA will initially lead to a decline in user experience with 58% claiming it would add too much friction.  

Aside from issuer preparation, SCA has caused alarm and concern among merchants with Stripe claiming as much as €57bn could be abandoned at the checkout post-SCA. Likewise, Amazon’s one-click buy, now replicated by other merchants, could see itself made redundant by SCA requirements. As quoted in the EPA’s whitepaper, an additional click increases the rate of abandonment by 15%. 

A grace period 

In June this year, the FCA responded to the EBA’s allowance for national competent authorities (NCAs) to “provide limited additional time” by delaying SCA enforcement by as much as 18 months, as detailed in their press release. 

And though retailers and other industry participants may breathe a sigh of relief at an extension to implement SCA and the subsequent friction into e-commerce, businesses must continue to act to ensure they meet the deadline. 

Industry participants should also be aware that the FCA has said enforcement action will not be taken "in areas covered by the agreed plan". The "agreed" plan is to be agreed between the FCA and the e-commerce industry, but no further information has been provided. There is some clarity still needed as to whether this means certain areas of SCA will still be enforced.

In addition, participants who are relying on the delay to SCA enforcement still need to evidence that they have taken the necessary steps to comply with the agreed plan.  

A legal checklist for businesses to consider for SCA 

Below is a suggested legal checklist that businesses may want to consider when thinking about SCA compliance.

By now, the internet is awash with material on SCA. Very briefly, the principle of the legislation aims to combat the rising sophistication of online fraud – now valued at £310m annually - and better protect consumers by using two of three elements of authentication.  

Those three elements of authentication are inherence (something the user is), knowledge (something the user knows) and possession (something the user has).  Likewise, understanding where your business and partners fit in the legal definitions and frameworks of SCA will prove instrumental in demonstrating compliance.   

Complimentary to the first check, it helps to understand the different exemptions (see chapter three), including threshold, account and payment types or the 90-day rule.  

Exemptions to think about which could be relevant to your business include: contactless point of sale - providing the transaction does not exceed €50; the payer is paying their own account; unattended transport or parking fares; trusted (previously authenticated) beneficiaries and recurring transactions; and when transactional risk analysis is applied, among others. 

A corporate exemption (article 17) is possible for payment service providers who can demonstrate payers are not consumers and where processes or protocols offer at least equivalent levels of security to those provided for by PSRs 2017, although those wishing to rely on the corporate exemption must provide the FCA with relevant information submitted at least 3 months before relying on the exemption.

While ensuring the operational preparation for SCA should already be high on the agenda, it is worth reiterating here. Bring technical, compliance and product stakeholders into the same room so that all can input on impact and work out where overlap and responsibility lies. SCA compliance is not just theoretical. Any compliance plan needs to have the practical implication at the heart of the plan.

Likewise, as with the run up to GDPR, reach out to partners and suppliers to gauge where they are on their SCA compliance journey and ensure all parties are aligned. Where it is a requirement that your partners deliver the SCA compliance, ensure that they are on track and in a worst-case scenario consider exiting the relationship if their approach puts your SCA compliance at risk.  

To ensure all parties are aligned, it is worth revisiting contracts to specify PSD2 and SCA compliance to be clear on liability where non-compliance on behalf of your partner or supplier means a breach of contract. 

It is worth spending some time on how you will be able to evidence compliance with SCA in case the regulator ever asks the question. Can you document your processes and controls, including technical information easily as well as showing that this demonstrates compliance? This will be particularly important if you are seeking on relying on the grace period so that you are able to show you have taken the necessary steps to comply with the plan to achieve compliance.

Want to learn more about SCA at Modulr? Contact us today.

Want more insights like this? Sign up to our newsletter.