On June 28th, 2019, the UK Financial Conduct Authority (in response to an Opinion published by the European Banking Authority) published a statement on the possible delay of enforcement against businesses that, by September 14th, 2019, will not have met the Regulatory Technical Standards for Strong Customer Authentication (SCA) in relation to e-commerce card payments.
The 14th September deadline was originally set under the Second EU Payment Services Directive, and the UK Payment Services Regulations. The FCA recognises that some businesses may be struggling to meet the deadline and has said it will work with industry stakeholders to agree a plan for implementation by a later date. Although the deadline will remain in place generally, if a business does not meet that deadline, the FCA will not take enforcement action provided that the business is operating in an area which is covered by the plan and is complying with the plan.
While this will be welcome news to those businesses (especially startups and scaleups) that have struggled to meet the SCA requirements, it is not a complete waiver. It remains to be seen what any agreed plan between the FCA and the industry will cover and what timetables it imposes. Businesses that are required to meet the SCA requirements should monitor the proposed plan and whether it applies to their business. Otherwise, the obligation remains the same.
By Luke Stubbs, a lawyer in DLA Piper’s Technology and Sourcing team, concentrating on payments and FinTech matters.