The UK’s Financial Conduct Authority (FCA) has agreed to postpone the September deadline for implementing EU online anti-fraud measures known as Strong Customer Authentication (SCA).
SCA is due to come into force across Europe on September 14, but the UK financial regulator announced an 18-month postponement this week.
Industry leaders welcomed the move. Yet it remains unclear whether regulators in other EU member states will follow suit, meaning cross-border transactions could still be affected.
More: Comment: Strong Customer Authentication
Special Report: Does strong customer authentication threaten ‘cliff edge’ for ecommerce?
New online rules risk ‘massive loss of business’
SCA aims to cut online-payment fraud by requiring secondary authentication of all transactions worth £30 (€30) and over.
It marks the final phase of EU Payment Services Directive 2 (PSD2) and means card issuers could decline transactions without authentication.
Bank and financial service trade associations have warned the EC and the European Banking Authority (EBA) of a widespread lack of preparedness.
Research by trade body UK Finance suggested consumers may fail to complete up to 30% of online transactions and banks have warned of “massive loss of revenue”.
The EBA acknowledged concerns about the deadline in June and ruled that national agencies may “allow limited additional time . . . [on] condition payment service providers have a migration plan”.
However, it insisted: “Sufficient time has been available for the industry to prepare for the application date of SCA.”
The FCA had previously said it would not take immediate enforcement action from September 14. But on August 13 it announced it had “agreed an 18-month plan to implement SCA with card issuers, payments firms and online retailers”.
FCA executive director for retail and authorisations supervision Jonathan Davidson said: “While these [SCA] measures will reduce fraud, we want to make sure they won’t cause material disruption.”
However, firms would still need to take steps to comply, he said, adding: “The FCA expects all firms to have made the necessary changes to apply SCA” in 18 months.
The UKhospitality association welcomed the delay. Chief executive Kate Nicholls said: “The decision to implement a phased roll-out is extremely helpful. It’s clear the whole payments system needs more time.
“This announcement gives us the breathing-room to ensure we do not hit a payments cliff-edge.”
Nicholls added: “It also provides an opportunity to look at the specific issues faced by hotels, including bookings from overseas and the complex payment environment for hotels.”
The British Retail Consortium (BRC) also welcomed the move.
BRC payments policy advisor Andrew Cregan said: “The decision avoids a payments cliff-edge where 25%-30% of ecommerce transactions would have been at risk of failing after September 14.
“The phased implementation should allow retailers and banks time to put in place the necessary technical fixes and minimise disruption.”
However, concerns remain about what other EU regulators will do.
Amadeus head of merchant services Jean-Christophe Lacour told Travel Weekly last month: “It’s not clear all [EU] regulators take the same view.”
More: Comment: Strong Customer Authentication
Special Report: Does strong customer authentication threaten ‘cliff edge’ for ecommerce?