The UK’s Financial Conduct Authority (FCA) will delay the planned introduction of mandatory two-factor authentication for higher-value electronic payments by another six months amidst the major disruption being caused by the COVID-19 pandemic. The deadline for compliance is now 14 September 2021.
The FCA first delayed the measure in August last year, as a “plan for a phased implementation” which “gives the payments and e-commerce industry extra time to implement Strong Customer Authentication (SCA).”
The rules, which were originally due to come into place in September, officially fall under the Secure Customer Authentication (SCA) section of the Second Payment Services Directive (PSD2), which came into force in January 2018. The European Banking Authority (EBA) only issued clarity on the technical standards required in June 2018 however.
It will eventually mean a customer will need to authenticate any online purchases of £28 (€30) or more, most likely by entering a passcode sent to their mobile phone or via a biometric check. The intention is to combat online fraud, which rose by 19 percent to £671.4 million on UK-issued cards last year, according to UK Finance.
The FCA had been coming under mounting industry pressure to delay the rules, with the EBA asserting that more time would be needed to implement SCA, with fears of disruption and loss of faith in the system from consumers if the rollout was in any way problematic.
Jonathan Davidson, executive director for supervision of retail and authorisations at the FCA, said in a statement: “The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction’.
Commenting on the news, Jason Tooley, chief revenue officer at customer authentication specialist Veridium, said: “Financial institutions and payment service providers have had nearly two years to prepare since the initial announcement, and there is no valid excuse for the delay in its enforcement apart from an unwillingness to participate.”