Global menu

Our global pages


SCA Adjustment Period and 18 month phased SCA implementation, confirmed by the FCA

  • United Kingdom
  • Payment systems and digital commerce


1. Open Banking – ASPSPs 6 Month Adjustment Period (SCA/SS+)

On 9 August 2019, the FCA expressed their concerns that there could be serious disruption to the continuity of third party providers (“TPPs”) services to customers in respect of the Payment Services Regulations 2017 (“PSRs 2017”) and the regulatory technical standards on strong customer authentication (“SCA-RTS”) if the original deadline of 14 September 2019 in relation to the stopping of screen-scraping and the introduction of access to either a dedicated interface (“API”) or a modified customer interface (“MCI”) was adhered to. This is because:

  • some TPPs’ migration of customers to Account Servicing Payment Service Providers’ (“ASPSPs”) APIs is not yet complete;
  • some ASPSPs have not yet made APIs available for all payment accounts;
  • ongoing access to customers’ payment account data for Account Information Service Providers (“AISPs”) via other means, including access via a MCI, will be prevented by strong customer authentication (“SCA”); and
  • some TPPs have not yet obtained eIDAS certificates.

6-month adjustment period

The FCA confirmed that they will not enforce any requirements in the PSRs 2017 and the SCA-RTS that an ASPSP would breach as a result of facilitating TPP access via screen-scraping.

The FCA further confirmed that following this 6-month adjustment period all ASPSPs should ensure they have an interface, either a MCI or API, that is compliant with all the requirements, including SCA, under the PSRs 2017 and the SCA-RTS. By this time all TPPs should have migrated their customers.

The FCA also confirmed that during this adjustment period:

• ASPSPs who do not have APIs available and in use for all payment accounts by 14 June should maintain existing screen-scraping channels without SCA.

Our view

We interpret this to mean that ASPSPs with APIs in place since 14 June will not be required to offer screen-scraping as a method of access post-14 September but those ASPSPs without APIs since 14 June should. In our view, however, it is not clear from the FCA communication whether the FCA will consider the API as live from 14 June where all payment accounts were available but other features of the API were not available (e.g. App to App redirection). We would, therefore, suggest clarifying this with the regulator.

• TPPs to remain transparent about their identity when interacting with ASPSPs.

Our view

In practice, traditional screen-scraping relies on customers sharing credentials with TPPs so ASPSPs may be unable to identify a secure session with a TPP (unless identification from the IP address is possible). We would suggest that firms seek clarity from the FCA on what TPPs are expected to do in order to be open about their identity (i.e. do TPPs need to actively tell the ASPSP or should they only be open if queried). In addition, if identification is not possible and screen-scraping must be allowed without SCA, this raises questions over how an ASPSP will know when it is okay to require SCA during the adjustment period.

• Where a TPP does not have an eIDAS certificate, ASPSPs would enable the use of equivalent certificates as long as they enable secure identification.

Our view

The FCA has not been clear on what the equivalent certificates are (although we would the OBIE certification process is what it has in mind). In the context of ASPSPs, we interpret this to mean that ASPSPs are not required to use eIDAS certificates to identify TPPs from 14 September for a period of 6 months. Instead, ASPSPs could choose to either use: (i) eIDAS; or (ii) equivalent certification means (e.g. OBIE’s certification regime). It would be interesting to see what impact this has on any exemption application processes (if firms have been unsuccessful) as one of the requirements to obtain an exemption is to ensure that ASPSPs and TPPs can test the ability to exchange eIDAS certificates. However if most TPPs now rely on equivalent means this is unlikely to happen in practice during the extended implementation period.

• There will be no FCA enforcement action with regard to a breach of the contingency mechanism during the adjustment period.

Our view

If an ASPSP’s application is unsuccessful, there will be no obligation to offer screen-scraping plus (“SS+”), as a contingency mechanism, from 14 September but the firm will need to offer SS+ at the end of the 6 month adjustment period, if they have not received an exemption.

Additionally, if ASPSPs are unsuccessful in obtaining an exemption, the suggested use of continued screen-scraping could have an impact on the requirement to ensure ‘wide usage’ to obtain an exemption before the end of the adjustment period. If ASPSPs are required to offer screen-scraping in the interim period, this is likely to reduce the number of TPPs who actively use the live API which, in turn, reduces the ASPSP’s ability to meet this requirement.

We note that the FCA has clarified in certain communications that firms should not slow down or de-prioritise their implementation of APIs and, to do so, could impact the outcome of a firm’s exemption request, but screen-scraping may slow down the use of such access interfaces by TPPs.

If ASPSPs are unsuccessful in obtaining an exemption, they may need to reconsider the authentication practices they intend to put in place to access a payment account/initiate a payment from 14 September as the FCA has noted that TPPs should be able to access accounts via screen-scraping without the application of SCA in this scenario. It follows that traditional screen-scraping relies on customers sharing credentials with TPPs so banks are unable to identify a secure session with a third party. We acknowledge that the FCA is encouraging TPPs to be open about their identity during the adjustment period but it is unclear how this will work in practice and how ASPSPs will distinguish between: (i) a TPP accessing customers’ accounts (SCA not allowed); or (ii) a customer accessing their account directly (SCA allowed). We would suggest that further clarification from the FCA is required concerning the specific circumstances in which SCA is permitted from 14 September 2019.

2. FCA agrees plan for a phased 18 month implementation of Strong Customer Authentication.

On the 13 August 2019, in line with recommendations from UK Finance and the European Banking Authority the FCA agreed an 18-month plan to implement SCA. Given the complexity of the SCA requirements, there have been concerns about a lack of readiness and the potential for a significant impact on consumers.

Although the plan itself has not yet been released, the key takeaway from the initial announcement is that firms will not face FCA enforcement action if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.

Further clarity in a number of areas is still needed. In particular, it is not clear how this fits together with Friday’s announcement around the 6 months’ adjustment period and it won’t be clear until the plan itself is released and the FCA provides further guidance. Seen as the FCA announcement refers to giving the payments and e-commerce industry more time, we would assume that SCA will still be required in respect of a number of areas where it is mandated under PSD2 (for example, where a payment services user carries out a remote action with a risk of payment fraud or other abuse). However, although the agreed plan may not allow for an 18 month delay in requiring SCA for TPP account information requests and payment initiation, Friday’s announcement seems to allow for/require an additional delay in SCA outside of such plan now that screen-scraping will continue.