The FCA sets out final rule changes to its Strong Customer Authentication (SCA) rules and to its guidance on payment services and electronic money

On 29 November 2021, the UK Financial Conduct Authority (FCA) published a policy statement PS21/19 (Policy Statement) which sets out amendments to the UK SCA-RTS, the ‘Payment Services and Electronic Money’ approach document (Approach Document) and the Perimeter Guidance Manual (PERG).

The Policy Statement sets out final rule changes, as well as feedback on industry responses to their consultation paper CP21/3 (Consultation Paper). The Policy Statement implements the proposals from their Consultation Paper in full and with few modifications (see our update from February 2021). In this alert, we provide an overview of the key rule changes, what they mean for payment services providers, and the deadlines for implementation.

Changes to the SCA-RTS

Exemption from SCA for ASPSPs and 90-day re-consent requirement

The FCA has implemented a new exemption from SCA for when customers access account information with their bank, payment institution (PI), or e-money institution (each an ASPSP) through a regulated account information service provider (AISP). Previously, ASPSPs were required to apply SCA on every access to the payment account by the ASPSP, but could use an exemption under which the ASPSP would only need to apply SCA every 90 days. But even if an ASPSP made use of that exemption, it still meant that customers with multiple accounts across different ASPSPs were required to complete SCA every 90 days with each ASPSP that they want an AISP to have access to.

The Article 10A exemption permits ASPSPs to disapply SCA where a customer is using an AISP to access account information, such as balance and payments transactions. While the use of that exemption by ASPSPs is not mandated for now, the FCA has warned that it will monitor use of the exemption and will consider taking further steps to require the adoption of the exemption, if necessary. This exemption comes into force on 26 March 2022.

Further, where an AISP accesses account information without the customer actively requesting it, it will be required to re-confirm the payment service user’s continued consent to access their account information, every 90 days. This re-consent may apply to more than one account linked to the AISP, provided that this consent is specifically given for multiple identified accounts. AISPs should make available to the customer information required to make an ‘informed decision and understand what they are consenting to’, for example by providing information on the frequency of access, and by making it clear what the payment service user is consenting to. AISPs will not be required to share this consent with ASPSPs, noting however that ASPSPs may still require subsequent SCA where they have proportionate and objective reasons for doing so, for example due to unauthorised or fraudulent access. AISPs must re-confirm customer consent under Article 36(6) of the UK SCA-RTS by 26 March 2022.

Mandatory use of dedicated interface, availability of testing facilities, technical specifications and fallback mechanism

Previously, the SCA-RTS permitted ASPSPs to enable Third Party Provider (TPP) access via either a dedicated interface or a modified customer interface (MCI). In response to issues faced by TPPs in accessing MCIs, the FCA has mandated the use of dedicated interfaces by ASPSPs within scope of the Payment Account Regulations 2015, including personal accounts and SME current accounts, and credit card accounts held by consumers and SMEs.

Further, and as consulted, the FCA has implemented changes to the timing of the requirement for ASPSPs to publish interface technical specifications and to make available testing facilities and fallback mechanisms. Technical specifications and testing facilities must now be made available to TPPs from launch of the new product, rather than six months in advance.

Further, ASPSPs will be required to make a fallback interface available no later than six months after the date of market launch of the product or service.
These requirements will apply to accounts held by ASPSPs, excluding those held by small payment institutions, small e-money institutions, firms relying on the Temporary Permissions Regime (TPR) and firms in the supervised run-off regime. In-scope firms are expected to implement these changes within 18 months of the rules coming into force, which is 26 May 2023.

Changes to the Approach Document

SCA guidance scope of inherence and possession factors

The FCA declined to incorporate the EBA guidance on inherence factors detailed in their June 2019 Opinion (Opinion), which sets out that inherence relates primarily to physical properties. This is a view which the FCA considers unnecessarily restrictive. The FCA have instead updated their Approach Document and guidance on inherence to list a broader category of factors, including biometric credentials (such as fingerprint authentication or retina scanning), behavioural biometrics (such as keystroke dynamics) and behavioural characteristics (such as shopping patterns), all of which may be capable of constituting inherence factors. The FCA believe this approach will enable SCA solutions better suited for vulnerable customers, and expect that firms will continue to develop solutions that work for all groups of customers.

Conversely, regarding possession, the FCA has adopted the view from the EBA Opinion. The Approach Document has been updated to state that a device can be used as evidence of possession only where there is a reliable means to confirm this possession.

Safeguarding, prudential risk management, and wind-down plan

The Approach Document has adopted and made permanent provisions from the FCA’s 9 July 2020 temporary guidance on safeguarding customers funds, prudential risk measures and wind down plans. These provisions require in-scope firms to undertake organisational arrangements to safeguard funds, to set-up robust governance arrangements and to put in place a wind-down plan.

In light of a recent High Court judgement, the FCA has removed references to trusts in their guidance and template safeguarding credit institution/custodian acknowledgement letter, noting however that firms are still expected to obtain acknowledgement that the safeguarding institution has no right of set-off over safeguarded funds.

Extension of BCOBS and Principles for Business

As noted in our previous update, certain communication rules in the FCA’s Banking Conduct of Business Sourcebook (BCOBS – e.g. relating to communications, financial promotions and cancellation) and the FCA’s Principles for Business have applied to PIs and EMI since February 2019. The Approach Document has now been amended to reflect these changes and a revised November 2021 version of the Approach Document has been published.

Changes to the Perimeter Guidance (PERG)

The FCA finalised changes to PERG 15 to provide additional guidance on the types of products that can benefit from the limited network exclusion under the limited network exemption (LNE) under paragraph 2(k), part 2 of Schedule 1 of the Payment Services Regulations 2017 (PSRs) and the electronic communication exemption (ECE) under paragraph 2(l), part 2 of Schedule 1 of the PSRs.

If you require further information or have any further questions, please contact our payments team.

If you would like to receive our regular Payments alerts in your inbox, click here.

If you would like to read Bird & Bird's previous alerts, please check out our Payments InFocus webpage here.

Latest insights

More Insights
Curiosity line blue background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More
Bank card propped up against laptop

Germany: BaFin updates AML guidance

Dec 19 2024

Read More