The New European PSD2 Law

The UK’s Financial Conduct Authority has confirmed they will postpone the enforcement of PSD2 to allow online merchants more time to comply with SCA requirements. The new date for the UK is now March 2021. Online retailers active in the UK have been given up to 18 months to update their payment systems and processes to comply with new customer authentication requirements.

The Financial Conduct Authority (FCA) announced in August that it had reached an agreement with payment card issues, payment providers and online retailers in relation to its enforcement of the 'strong customer authentication' (SCA) standards, drawn up under the EU's second Payment Services Directive (PSD2).

The agreement provides scope for businesses in the e-commerce market to work towards compliance with the SCA over a period that could last up until 14 March 2021, without the fear of punishment from the regulator for non-compliance with the new standards.

"The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan," the FCA said. "At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA."

"The FCA will also continue to monitor the extent to which banks and payment service providers are meeting its expectation that they consider the impact of SCA on different groups of consumers, and provide alternative means of authentication where needed," it said.

The SCA standards are hard-wired into EU legislation and have taken effect from 14 September. The standards aim to make sure that banks or payment services providers know that the person requesting access to an account or trying to make a payment is either the customer or someone who has their consent. They are intended to enhance the security of payments and limit fraud.

This will mean that anyone making an online purchase will be required to identify themselves through two-factor authentication (2FA).

In the past, online retailers have been able to promote and push the convenience of click and collect and other comparable forms of “one-click” payment methods, but PSD2 will change this because, by its very nature, 2FA needs more than a one-click. Instead, it typically requires that customers supply a one-time code received via a text, email, or phone call to authenticate their payment.

While 2FA undoubtedly adds another layer of security for users, it also introduces an added level of complexity into the customer experience.

Yet, with online spending only continuing to rise (with online Black Friday sales in the UK last year reaching £1.49 billion, up over seven per cent year-on-year), web retailers need to consider how best to ensure PSD2 compliance. This needs to be done while also working to avoid any potential negative impact on the user experience and, consequently, overall sales (particularly during some of the busiest periods for UK retailers).

For more detailed information, please click below.