PSD2 Strong Customer Authentication for Payment Institutions: A Comprehensive Guide

## What is PSD2 Strong Customer Authentication (SCA)?

PSD2 Strong Customer Authentication (SCA) is a security requirement under the Revised Payment Services Directive (PSD2) designed to make electronic payments more secure and reduce fraud, specifically requiring a multi-factor authentication process for most online transactions. Introduced on 14 September 2019, with a phased enforcement period in the UK, SCA mandates that payment service providers (PSPs), including authorised payment institutions (PIs) and electronic money institutions (EMIs), verify a payer's identity using at least two independent elements from categories of knowledge (something only the user knows, e.g., a PIN or password), possession (something only the user possesses, e.g., a mobile phone or token), and inherence (something the user is, e.g., a fingerprint or facial recognition). The objective is to significantly enhance the security of payment initiation and access to payment accounts.

The legal basis for SCA is found in Article 97 of PSD2 (Directive 2015/2366/EU) and further elaborated in the Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Open Standards of Communication (Commission Delegated Regulation (EU) 2018/389). Although the UK has left the European Union, the substance of PSD2 and its accompanying RTS have been largely retained in UK law through The Payment Services Regulations 2017 (PSRs 2017), ensuring that UK PIs and EMIs continue to adhere to these robust security requirements. The Financial Conduct Authority (FCA) is the competent authority responsible for enforcing these provisions in the UK, publishing extensive guidance to assist firms in their compliance efforts.

It is imperative for PIs to continuously review their SCA implementation to ensure it meets the evolving regulatory expectations and effectively mitigates emerging fraud risks. Failure to comply can result in enforcement action, including fines and other sanctions from the FCA, as well as reputational damage and financial losses due to fraud.

Which Payment Institutions are Subject to SCA Requirements?

All Payment Institutions (PIs) authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) in the UK are subject to SCA requirements, along with Electronic Money Institutions (EMIs), banks, and other Payment Service Providers (PSPs). This includes both PIs providing payment services directly to consumers and those facilitating business-to-business (B2B) payments, although specific exemptions may apply. The scope of SCA applies to transactions where at least one of the payment service providers involved in the transaction is located within the European Economic Area (EEA) or, following Brexit, the UK. This is often referred to as "one-leg out" transactions, where a payer or payee PSP is outside the EEA/UK jurisdiction.

For PIs operating cross-border, it is crucial to understand the jurisdictional reach of SCA. The RTS specifies that SCA applies when the payer’s payment service provider is located within the EEA (or, for UK firms, within the UK). This means that if a UK PI processes a payment where the card issuer or account holding PSP is based in the UK or EEA, SCA will likely apply, irrespective of the merchant's location. Conversely, if both the payer’s PSP and the payee’s PSP are outside the UK/EEA, UK SCA rules may not apply directly, but local regulations in those jurisdictions could impose similar requirements.

The FCA has consistently reinforced the importance of SCA for all PSPs, including PIs, for activities such as: - Initiating an electronic payment transaction. - Accessing an online payment account. - Carrying out any action through a remote channel which may imply a risk of payment fraud or other abuses.

This broad scope means that PIs offering services such as account information services (AIS), payment initiation services (PIS), or simply holding customer funds accessible via online portals must robustly implement SCA. Further guidance on the application of SCA to specific payment services can be found in the FCA’s Payment Systems and Strong Customer Authentication webpage and various Consultation Papers over the years.

What are the Exemptions to Strong Customer Authentication?

While SCA is a fundamental security measure, the Regulatory Technical Standards (RTS) provide for several key exemptions to balance security with convenience, and PIs must carefully apply these. These exemptions are not automatic; rather, the payment service provider, typically the Acquirer or Issuer, is responsible for performing a real-time risk assessment to determine if an exemption can be responsibly applied without increasing fraud risk. The most commonly applied exemptions include:

• Low-value transactions: Transactions below €30 (or the equivalent in GBP, currently £25 under temporary FCA guidance) can be exempt from SCA. However, cumulative limits apply: SCA will be triggered if the payer initiates five consecutive low-value transactions without SCA, or if the total amount of low-value, SCA-exempt transactions exceeds €100 (or £88). Once these thresholds are met, SCA must be applied. Firms must have robust systems to track these cumulative limits.
• Recurring payments (Fixed amount to the same payee): Subsequent transactions of the same amount to the same payee after the initial SCA-protected transaction are exempt. This is particularly relevant for subscriptions or direct debits initiated by card. The first payment must always be authenticated with SCA.
• Whitelist / Trusted beneficiaries: Payer’s can whitelist specific beneficiaries as trusted, thereby exempting future payments to those beneficiaries from SCA. The initial whitelisting process, however, must be performed with SCA. This enables a smoother experience for regular payments to known entities.
• Low-risk transactions (Transaction Risk Analysis - TRA): This is perhaps the most significant and complex exemption. Payment service providers, particularly acquirers, can perform a Transaction Risk Analysis (TRA) in real-time to assess the fraud risk of a transaction. If the transaction is deemed low-risk based on specific fraud rate thresholds (set by the RTS), SCA can be waived. These thresholds vary based on transaction value:
• Corporate payments (dedicated payment processes and protocols): Payments made by legal persons (corporations) using dedicated payment processes or protocols that are not generally available to consumers can be exempt. This typically applies to B2B payment services with bespoke security arrangements.
• Unattended terminals for transport fares and parking fees: Payments made at unattended terminals for certain services like transport and parking are exempt, recognising the practical difficulties of implementing SCA in such environments.
• Mail Order/Telephone Order (MOTO) transactions: While not explicitly an exemption under the technical standards, MOTO transactions are generally considered "card-not-present" where the payment is initiated by the merchant and therefore falls outside the scope of SCA where the payer is 'initiating an electronic payment transaction'. However, firms offering MOTO services must still employ adequate fraud prevention measures.

The proper application of these exemptions demands sophisticated fraud monitoring systems and a clear understanding of the FCA’s guidance, particularly on how to calculate and monitor fraud rates for TRA. Incorrectly applying an exemption can lead to increased fraud and regulatory scrutiny. For detailed requirements, Section 30 of the Payment Services Regulations 2017 (PSRs 2017) and Articles 13-18 of the RTS are the key references.

What are the Implementation Challenges for Payment Institutions?

Implementing Strong Customer Authentication (SCA) presents several significant challenges for Payment Institutions (PIs), requiring substantial technical investment, operational adjustments, and a delicate balance between security and user experience. Firms must navigate these complexities to ensure both compliance and continued business growth.

1. Technical Integration Complexity: Integrating SCA into existing payment flows and systems is often a complex technical undertaking. PIs may need to:
2. User Experience (UX) and Conversion Rates: A major concern for PIs is the potential negative impact of SCA on user experience and, consequently, conversion rates. Overly complex or frequent authentication challenges can lead to:
3. Fraud Rate Monitoring and Exemption Management (TRA): Applying the Transaction Risk Analysis (TRA) exemption effectively requires sophisticated, real-time fraud monitoring capabilities. PIs need to:
4. Regulatory Interpretation and Evolving Guidance: While the core principles of SCA are established, the practical application can sometimes be ambiguous, particularly for novel payment solutions. The FCA continuously issues guidance, Dear CEO letters, and Q&As that PIs must monitor and adapt to. Examples include clarifications on the scope of SCA for one-leg out transactions or specific payment methods. Staying abreast of these developments requires dedicated regulatory monitoring.
5. Data Security and Privacy: Implementing SCA involves processing sensitive customer data for authentication purposes. PIs must ensure that their authentication solutions comply with relevant data protection regulations, such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This includes secure storage of authentication credentials, appropriate access controls, and transparent communication with customers about data usage.
6. Cost of Compliance: The cumulative cost of developing or procuring SCA-compliant systems, training staff, conducting risk assessments, and maintaining ongoing compliance efforts can be substantial for PIs, particularly smaller firms. This investment must be weighed against the benefits of increased security and regulatory adherence.

To overcome these challenges, PIs often engage specialist regulatory consultants, leverage third-party authentication solutions, and adopt agile development methodologies to iteratively improve their SCA implementations. The objective must remain to protect customers while fostering innovation in the payment ecosystem. Further insights can be found in the FCA’s "Strong Customer Authentication and Payments – What you need to know" resources found on their official website.

What are the Best Practices for SCA Compliance?

Achieving and maintaining Strong Customer Authentication (SCA) compliance under PSD2 and the PSRs 2017 requires a strategic, multifaceted approach for Payment Institutions (PIs). Adopting best practices is essential not only to meet regulatory obligations but also to enhance security, reduce fraud, and maintain a positive customer experience.

1. Adopt a Risk-Based Approach: Do not apply SCA blindly to every transaction. Instead, develop and implement a robust framework for Transaction Risk Analysis (TRA) as permitted by Article 18 of the RTS. This involves:
2. Implement Robust and Diverse Authentication Elements: Ensure that your chosen SCA methods meet the "independence" requirement of using two distinct elements from different categories (knowledge, possession, inherence).
3. Prioritise User Experience (UX): While security is paramount, SCA should not unduly hinder the user journey.
4. Invest in Secure Infrastructure and Continuous Monitoring: The underlying systems supporting SCA must be highly secure and resilient.
5. Comprehensive Staff Training and Awareness: Employees at all levels, particularly those in customer service, fraud detection, and IT, must be fully aware of SCA requirements and procedures.
6. Regular Review and Adaptation: The regulatory and threat landscapes are constantly evolving. PIs must:

By integrating these best practices, Payment Institutions can build a robust, compliant, and user-friendly SCA framework, safeguarding their customers and their business in the dynamic payment landscape.

What is the FCA's Stance on SCA Compliance and Enforcement?

The Financial Conduct Authority (FCA) takes Strong Customer Authentication (SCA) compliance very seriously, consistently emphasising its critical role in protecting consumers and maintaining the integrity of the UK’s payment ecosystem. The FCA's stance is one of firm expectation for adherence, combined with a pragmatic approach allowing for industry adaptation.

Firstly, the FCA expects all Payment Institutions and other PSPs to have fully implemented SCA for in-scope transactions in line with the Payment Services Regulations 2017 (PSRs 2017) and the accompanying Regulatory Technical Standards (RTS). While there was a staggered implementation period for e-commerce card payments, the full enforcement for all relevant transactions, including those initiated online, via mobile apps, or through other remote channels, is now in effect. The FCA maintains that firms should have made all necessary changes to ensure a smooth authentication process for their customers.

Secondly, the FCA regularly publishes guidance and updates to clarify its expectations. This includes specific guidance on: - One-leg out transactions: How SCA applies when only one leg of the transaction (payer’s or payee’s PSP) is within the UK/EEA. - Specific payment methods: Clarifications for unique payment flows, such as virtual cards or certain wallet solutions. - Exemptions: Clear guidance on the appropriate application of exemptions, particularly the Transaction Risk Analysis (TRA) exemption, and the requirement for robust fraud monitoring. The FCA monitors the use of exemptions closely to ensure they are not being misused or leading to increased fraud. - Operational resilience: Ensuring that SCA systems are robust, available, and resilient to cyber threats and operational disruptions. Firms can refer to FCA's dedicated Payment Systems and Strong Customer Authentication webpage for the latest updates and clarifications.

Thirdly, the FCA employs a risk-based supervisory approach to SCA. This means they will pay particular attention to firms that: - Have a history of operational incidents or system failures related to payments. - Exhibit higher-than-average fraud rates, especially for transactions where SCA should have been applied. - Receive significant customer complaints related to authentication failures or overly complex processes. - Are slow to adapt to new regulatory guidance or industry best practices. Supervision extends to reviewing a firm’s internal policies, procedures, audit reports, and fraud data.

Finally, the FCA has a range of enforcement powers under the Financial Services and Markets Act 2000 (FSMA) and the PSRs 2017 for non-compliance. These include: - Public censures: Formally reprimanding a firm. - Financial penalties: Issuing fines, which can be substantial depending on the severity and duration of the breach. - Imposing requirements or restrictions: Limiting a firm’s activities or requiring specific remediations. - Withdrawal of authorisation: In the most severe cases, particularly where a firm poses a significant risk to consumers or the payment system, the FCA can revoke its authorisation as a Payment Institution. The FCA’s consistent messaging is that firms must prioritise the security of customer payments, and SCA remains a cornerstone of this objective. Firms that fail to meet these expectations face serious consequences. PIs should actively engage with FCA updates and consider formal legal and regulatory advice to ensure their SCA framework remains fully compliant and effective.