The UK’s Financial Conduct Authority is set to delay enforcement of PSD2’s SCA by more than 18 months, after warnings that the rules would threat online sales, according to Financial Times.
New “strong customer authentication” rules, which will require most online payments to go through an extra level of verification to reduce fraud, are due to be introduced in September, but industry groups said that a lack of preparedness would make more than a quarter of payments impossible to complete.
In an update in June, the European Banking Authority rejected calls for a continent-wide grace period, arguing that companies had more than three years to prepare.
But critics of the rules said certain key technical details were not confirmed until this year, and companies have turned to national regulators to plead for more time.
The FCA asked the trade group UK Finance to design an alternative timetable for the UK. Its final recommendations, which were agreed with major financial, retail and travel groups, were submitted to the regulator last Friday.
The report, which has been seen by the Financial Times, said companies should have until March 2021 to implement most of the technical requirements, and a further six months to implement a more advanced form of authentication. Companies in the hospitality and travel sector would receive an additional year to prepare because of the “incredibly complex” nature of their payment systems.
The FCA, which was consulted throughout the design process, is expected to formally endorse the recommendations next week, and will meet key industry stakeholders on Tuesday.
Paul Rodgers, chairman of payments trade body Vendorcom, said “even if we go to an 18 month or two-year plan, the time is still short [to prepare] . . . the industry would be foolish to see this as a blank cheque”.
Banks, tech groups and retailers had initially pinned their hopes on the EBA, Europe’s top banking regulator, for a transition period that would apply across the EU. However, it agreed only to let national regulators “provide limited additional time” on a local basis.
The decision sparked worries that different countries could take different approaches to the rules, creating expensive complications for multinational firms and encouraging “regulatory arbitrage” as companies move their operations to areas that took a more lax approach to enforcement.
The UK Finance report notes that “due to the cross-border nature of payments, we strongly believe this issue requires an EU-wide solution”, and one person who contributed to the report said it was hoped that other regulators would be able to use it as a blueprint for their own planning.
The Central Bank of Ireland agreed that local regulators should work together to avoid disruption. A spokesperson for the regulator said it “will continue to engage with the EBA and other National Competent Authorities in the European Union in relation to this issue, aiming to agree a harmonised approach to the migration time periods across the EU.”
A person involved in the process at another European regulator said they were in “constant discussions” with counterparts, but cautioned that a co-ordinated timetable was not guaranteed.
Authorities in several other countries including France, Italy and Denmark have publicly said they favour a delay, but only France has so far outlined a timetable, suggesting that “the clear majority” of transactions should be compliant by the end of 2020, with the rest of the transition completed within three years.
UK Finance and the FCA declined to comment, FT added.
„For more than a week now, ScoreRise enrolls daily hundreds of users through an innovative facial recognition interface. Enrollment takes less than a minute and it does not require presence of a human operator or video recording. And, of course, it stays fully GDPR compliant with help from Reff & Associates and Deloitte Romania.”