An update on Strong Customer Authentication
Sam Boyle, IoF Policy and Information Officer, outlines the latest developments on Strong Customer Authentication and how these changes will impact fundraisers and charities.
There has been a lot of talk about how the payments landscape is going to change after the 14 September with the introduction of Strong Customer Authentication (SCA). This will have an impact on how we complete online payments, including making donations. Earlier this year, we discussed what charities would need to know in time for the new changes.
But a couple of weeks ago there was a major announcement. The Financial Conduct Authority (FCA) declared the rules could now be phased in over a period of 18 months for online card based transactions. We have been keeping up to date with UK Finance to find out what the latest is and to think about how future changes will impact charities and fundraising.
Why the delay?
The truth is many businesses and payment service providers aren’t ready for SCA.
The original plan was for most online payments (there are several exceptions and exemptions) to require two-step authentication from 14 September. From this date, non–exempt payments that do not meet the new security requirements would have been declined. SCA requires customers to provide two out of three of the following to complete online payments; something they know (such as a password), something they own (such as a smartphone or a bank card) or something they are (such as fingerprint authorisation). The reasons for bringing in these requirements are sound. Online payment fraud is all too common.
But the problem is that many issuers and merchants are completely unaware of the new features or they have not yet achieved technological readiness. According to UK Finance, 75% of merchants are said to not know that SCA is coming in and less than 5% have the right technology in place to deliver SCA-compliant transactions.
Should SCA have arrived as planned in September, it would have likely had a major impact on online transactions. The evidence suggests around 25% of online transactions would have been declined by card issuers due to payments not having the new security features.
Fortunately the FCA acknowledged concerns and asked UK Finance to draw up an alternative roadmap to ensure that payments aren’t comprised, whilst still introducing the new security features in a managed way.
The agreed solution – A managed roll out
The new proposed plans for SCA are for it to be introduced in several stages rather than in one go. Although the original date remains in place, the expectations for compliance by this date have changed. The 14 September marks the first of a series of compliance points on the SCA journey, rather than an end destination.
It’s not until March 2021 that the SCA will come fully into effect and transactions will start getting declined if they do not meet the new requirements. Until then, payment firms and issuers will avoid enforcement action as long as they are able to show that they are taking the necessary steps to comply with the new plan.
This should be good news all round, for the public, businesses and charities. For charities, online transactions (donations or sales) will not start getting declined from 14 September and the public can be confident that their payments will be processed as normal.
We will be doing more to raise awareness of the changes nearer the time of SCA’s arrival. Back in March, we held an event with Osborne Clarke to give charities the opportunity to listen to industry experts and ask questions about SCA.
The next 18 months provides ample opportunities for experts to communicate why the new legislation is necessary and make sure that everyone are up to date and prepared for the new changes.
For more information on the new proposal, take a look at the roadmap on UK Finance’s website.
Sam Boyle is Policy and Information Officer at the Institute of Fundraising.