Strong Customer Authentication (SCA) is one of the most significant operational and technical requirements imposed on payment institutions and electronic money institutions. Derived from PSD2 and implemented in the UK through the Payment Services Regulations 2017 and associated regulatory technical standards, SCA requires that electronic payment transactions and online account access are authenticated using two or more independent factors from three defined categories. This guide covers the legal framework, technical requirements, available exemptions and FCA enforcement approach.
What Is Strong Customer Authentication?
SCA is defined in the PSRs 2017 as authentication based on the use of two or more elements categorised as: knowledge (something only the user knows — a password, PIN or security question); possession (something only the user possesses — a mobile phone, hardware token or smart card); and inherence (something the user is — a fingerprint, facial recognition or voice pattern). The elements must be independent — compromise of one factor must not compromise another — and at least one factor must be non-reusable and non-replicable (except for inherence).
SCA is required under Regulation 100 of the PSRs 2017 when the payer: initiates an electronic payment transaction; accesses their payment account online; or carries out any action through a remote channel which may imply a risk of payment fraud or other abuse. The requirement applies to the payment service provider (PSP) that issued the payment instrument or maintains the customer's account — this is typically the payer's PSP, not the payee's.
Technical Requirements
The FCA's regulatory technical standards on SCA specify the detailed technical requirements. Key elements include:
Independence of factors. The authentication factors must be independent. A system that sends a one-time password via SMS to a mobile phone uses two factors (knowledge — the password, and possession — the phone) and is SCA-compliant. However, a system that requires two passwords (both knowledge factors) does not meet the requirement.
Dynamic linking. For remote electronic payment transactions, the authentication code must be dynamically linked to the specific amount and payee of the transaction. This means the code generated for a £500 payment to Company A cannot be used to authorise a £1,000 payment to Company B. Dynamic linking is intended to prevent man-in-the-middle attacks where a fraudster intercepts and modifies transaction details.
Communication channel security. The authentication process must use secure communication channels. The regulatory technical standards require that data transmitted during the authentication process is protected against interception, tampering and replay attacks. This has implications for the technology platforms and protocols used to deliver authentication challenges and receive responses.
Session management. Once authenticated, the maximum session duration for online payment account access must not exceed five minutes of inactivity before re-authentication is required. Firms must implement appropriate session timeout controls.
Exemptions
The regulatory framework provides exemptions from SCA for specific transaction types and scenarios where the risk of fraud is assessed as lower:
Low-value transactions. Contactless payments below £100 (the UK threshold, raised from the original £45) are exempt, subject to cumulative limits — SCA must be applied after five consecutive contactless transactions or when the cumulative value exceeds £300. Remote electronic transactions below £25 may be exempt under the same cumulative framework.
Trusted beneficiaries. Customers can designate payees as trusted beneficiaries. Once a payee is added to the trusted beneficiary list (which itself requires SCA), subsequent payments to that payee are exempt from SCA.
Recurring transactions. Recurring payments of the same amount to the same payee (e.g., standing orders, subscriptions) require SCA for the first transaction but are exempt for subsequent identical transactions.
Transaction risk analysis (TRA). PSPs can apply a real-time transaction risk analysis to exempt transactions from SCA, provided the PSP's fraud rates for the relevant transaction type are below the reference thresholds set out in the regulatory technical standards. This is the most operationally complex exemption and requires robust fraud monitoring and reporting capabilities.
Merchant-initiated transactions. Transactions initiated by the merchant (rather than the cardholder) — such as recurring billing or delayed charges — are out of scope of SCA because the payer is not present to authenticate.
FCA Enforcement Approach
The FCA has taken an increasingly strict approach to SCA compliance. Following an extended implementation timeline that gave the industry additional time to adapt, the FCA has signalled that the grace period for non-compliance is over. The regulator has issued requirements notices to individual firms, conducted thematic reviews of SCA implementation across payment firms and card issuers, and published supervisory findings highlighting common deficiencies.
Key areas of FCA focus include: firms that apply exemptions too broadly without adequate risk assessment; failure to implement dynamic linking correctly for remote transactions; authentication flows that technically use two factors but where the independence requirement is not met; and inadequate monitoring of exemption usage and fraud rates. Firms whose fraud rates exceed the reference thresholds while relying on TRA exemptions face potential supervisory action.
Practical Implementation Considerations
Payment institutions and EMIs implementing or reviewing SCA compliance should consider: the customer experience impact — SCA adds friction to the payment journey, and firms must balance security with usability; technology investment in multi-factor authentication infrastructure; exemption strategy — which exemptions to apply and the monitoring required to maintain eligibility; integration with existing fraud detection and transaction monitoring systems; staff training on SCA requirements and exemption application; and documentation of SCA policies, procedures and decision-making rationale for regulatory reporting purposes.
Regulatory Counsel advises payment institutions and EMIs on SCA compliance, payment regulation and FCA supervisory preparation. Contact us for a free initial consultation.
Frequently Asked Questions
Knowledge (something the user knows — password, PIN), possession (something the user has — phone, token), and inherence (something the user is — fingerprint, facial recognition). SCA requires at least two from different categories.
Exemptions include low-value contactless payments (under £100, subject to cumulative limits), trusted beneficiaries, recurring identical payments, transactions passing a real-time risk analysis, and merchant-initiated transactions.
For remote payments, the authentication code must be linked to the specific transaction amount and payee. This prevents the code being reused for a different transaction.
Yes, SMS-based one-time passwords currently satisfy the possession factor. However, the FCA and industry bodies have highlighted the security limitations of SMS, and firms are encouraged to consider more secure alternatives.