During the pandemic, many industries experienced a rise in online sales. According to some sources, sales increased by as much as 75% during this time. However, an adverse consequence of this rise was that fraud also rose by as much as 33%.

Strong Customer Authentication (SCA) was introduced by the Financial Conduct Authority and aims to limit fraud by adding additional identity checks to the online purchasing process. From March, online retailers operating in the EU and UK must offer SCA at checkout.

What is the law?

The rules are set out in the Payment Services Regulations 2017 (PSR) and its related standards.

What is Strong Customer Authentication and what has changed?

The new regulations require online retailers to use a robust authentication process to confirm a purchase over £25, including but not limited to the use of multiple methods of authentication.

You may already recognise ‘two-factor’ or ‘multi-factor’ authentication from your experiences online. It is where a customer can verify their identity through two or more of many categories of identification. The elements indicated by the PSR for SCA are set out below:

  • Possession (something only the user has – for example, a driving license).
  • Inherence (something the user is – for example, a fingerprint).
  • Knowledge (something only the user knows – for example, a memorable word).

Note: Knowledge is an alternative factor used where Inherence is not available to authenticate a customer.

Independence of the elements is key and a breach of one of the elements of knowledge, possession, or inherence should not compromise the other elements.

What transactions does Strong Customer Authentication apply to?

Unless a transaction is out of scope or an exemption applies, SCA must be used on “customer-initiated” transactions where the customer seeks to access their payment account online; initiates an electronic payment transaction, or carries out any action through a remote channel that may imply a risk of payment fraud or other abuses. This is a mandatory requirement.

This scope is broad and will mean that SCA must be applied to most online payments and bank transfers.

When doesn’t the Strong Customer Authentication apply?

Most merchant-initiated transactions are classed as out of the scope of the SCA rules. However, some customer-initiated transactions are also exempt from SCA such as low-risk transactions which present less of a chance of fraudulent activity.

For example, if you have a fixed monthly subscription, you will only be expected to use SCA on the first payment and not on subsequent payments. Purchases under £25 are also considered “low-value” and may be exempt unless there have been five consecutive low-value payments without SCA or where the cumulative total of low-value payments without SCA exceeds £85.

SCA will also not apply to certain Direct Debit transactions and secure corporate payments as these are considered ‘controlled systems’ which are authorised with pre-approved consent.

The subject of scope and exemptions can be difficult to navigate and so we recommend that businesses seek independent legal advice to check if the SCA rules apply to them.

What happens if my business does not comply with the Strong Customer Authentication rule and FPR?

If your business does not comply with the new SCA rules, the most damaging effect will be on income (as card issuers are likely to decline non-compliant transactions). It will also expose the business to potential liability for fraudulent losses and reputational damage. 

As the Payment Services, Regulations 2017 are enforced by the FCA’s enforcement division, there is a risk that the FCA chooses to monitor your payment activities and, in serious cases, may take enforcement action against your business.

What can my business do?

As discussed above, businesses need to check if their activities fall within the scope of SCA or if their activities mean that they are exempt from the rules. If you take payments through a third-party payment service provider, you should contact them to ensure that SCA measures have been applied to your business’ payment processes.

Our Corporate team at Stephens Scown can provide comprehensive advice on the SCA requirements and wider compliance with the Payment Services Regulations. Our IP, IT, and Data Protection team can also help with the legal aspects of e-commerce. If you have a question for one of our specialist advisors, contact us on 01872 265100