Global menu

Our global pages


SCA and Open Banking - the state of play

  • United Kingdom
  • Financial services and markets regulation
  • Consumer


Europe now finds itself at a crossroads in relation to the implementation of Open Banking and SCA. Regulators realised very late in the day that the payments ecosystem was not going to be ready for the September 14th deadline. If full enforcement had been mandated, untold damage would have been done both to ecommerce and the businesses of numerous payment service providers. Despite having 18 months to finalise solutions since the relevant legislation (RTS on SCA and secure communication (“RTS”)) was put in place, the lack of clarity in that legislation coupled with very late clarifications on what was required by the EBA and other national regulators left the ecosystem with no chance of full compliance.


What has happened so far

- Electronic payments were due to require 2 factor authentication by September 14th.

- The RTS did not provide a lot of detail on how SCA needed to be applied, so that it did not stifle innovation.

- National regulators (including the FCA) provided guidance primarily based on an opinion issued by the EBA in 2018.

- As merchants were not regulated by the new regime, the impact of ecommerce payments was not communicated and/or sufficiently understood leaving merchants unprepared.

-The EBA gradually issued responses to individual questions via its website and finally issued guidance in July 2019 which took a more prescriptive approach to how the requirements of SCA could be met. It also allowed for national regulators to provide for a transitional period whereby SCA requirements would not be enforced.

-Having reviewed the EBA guidance (which was inconsistent with some of the guidance issued by national regulators) many payment service providers became aware that their solutions were non-compliant with the views of the EBA and went back to the drawing board.

What happens now

- Most EEA countries have published their intent not to enforce SCA requirements during transitional periods of differing lengths.

- Retail and financial services industry bodies are working with their members in some jurisdictions to create a tailored plan of how SCA can be rolled out by the end of the relevant transitional periods.

-PSPs are working on alternative ecommerce and online banking SCA factors now that card details cannot be used as a possession factor and one time passcodes cannot be used as knowledge factors. This will change the ecommerce journey which had been expected to apply from September.

-Retailers seek advice and work to ensure that they have implemented technical solutions (such as updated versions of 3DS) to lessen the chances of payments being rejected (in particular in relation to when payments are recorded/classified in certain ways (e.g. MOTO or MITs)) and when SCA needs to be done/repeated for payments in a series or when amounts may change after an initial identification of the customer.

Open Banking

What has happened so far

- Open Banking access requires payment account providers to let third party payment providers request payments and account information from those account providers on behalf of customers. This has led to numerous new PSPs coming to market and existing players providing new services, as they both look to offer the newly regulated account information and payment initiation services. Retailers have also considered offering customers new ways to pay.

-Open Banking access has been required since January 2018. In the UK that has been the case for all payment account providers as a result of PSD2 and for the nine biggest UK banks, additionally because of similar legal requirements imposed by the CMA.

- Up until September 14th, other than for the nine biggest banks in the UK, the new services could be provided via screenscraping. However, this position continues (see below).

- Late in the day, it was realised by some national regulators that there had not been sufficient time for TPPs to test their services in conjunction with banks’ APIs and that banks’ API based access solutions were not operating well enough from a performance or availability perspective to ensure that there is not a detrimental effect on TPP businesses.

What happens now

- Banks continue to work on improving API access solutions to ensure parity with their direct channels, sufficient breadth and appropriate performance and availability.

- Banks continue to discuss with regulators and in some cases other industry bodies and API implementation entities (such as OBIE in the UK) the exact nature of what they need to build (e.g. such as in relation to offering direct e-idas identification and the ability for customers to revoke TPP access in their domain).

- Retailers consider offering payment services in their own right, working with new PSPs or taking additional types of non-card based payment services from their acquirer.

- OBIE in the UK and other initiatives delivering API access frameworks (such as the Berlin Group) continue to work on increasing functionality and, in the case of the UK’s OBIE, mandating the nine biggest banks to deliver such functionality based on the opinion that it will lead to an increased uptake in Open Banking (as part of the mandate given to them by the CMA).

- The entire market looks at developing new use cases for Open Banking services as TPPs look to develop alternative payment options in a variety of sectors.

- Screenscraping continues in the UK and other jurisdictions whilst further readiness work is done on API access solutions. The FCA in the UK has suggested that screenscraping should continue for certain providers until March 2020.

- Most banks continue work on obtaining an exemption from having to build a second contingency access solution for TPPs. This will only be granted if their primary interface meets certain standards and is approved by the national regulator.

The state of play

The drive to increase security, competition and innovation in the payments industry at the same time has undoubtedly faced challenges in recent times. Progress has been made as new market players and services develop. However, the real test is still ahead as we wait to see the impact of SCA on customer journeys and declined payments and the take up of Open Banking once API based TPP access is in full swing. Despite being past September 14th, the impact of PSD2 in Europe remains a question to be answered in the coming year.