We are in a world of fast paced change and need to adapt. How do you however adapt when you had not quite got right the processes of new regulatory rules when faced with COVID-19?
An example of this arises from the challenges of strong customer authentication for retailers and those in the financial services sector, especially when it comes to dealing with vulnerable customers. In the COVID-19 era, with forced remote transactions and limited external support, many consumers may be classed to have increased vulnerability.
As of 14 September 2019 a new online verification system was due to come into force under the Payment Services Directive 2 (“PSD2”). The purpose of the system is to make online shopping easier, safer and more importantly reduce fraud.
This process of verification has brought about a challenge of trying to implement a pragmatic process to verification, in particular in relation to vulnerable customers. Those challenges of verification have only increased in the COVID-19 era.
The new online system (referred to as Strong Customer Authentication “SCA”) will require a two-stage verification process and applies to banks, electronic money institutions and other payment service providers (together, “PSPs”)
To accept payments and meet SCA requirements PSPs will need to use at least two of the of the following three elements:
SCA applies to ‘customer-initiated’ online payments within Europe with the result that most card payments and bank transfers will require SCA. There are some exceptions such as low value transactions (approximately £28) but on the whole, SCA will be required.
It is fair to say that the implementation of SCA has presented challenges for many businesses struggling with the technological aspect and indeed, some being unaware of the regulations themselves.
The result of this challenge a ‘Dear CEO’ letter was issued by the FCA in August 2019 confirming that whilst the regulations came into force on 14 September 2019 that they would not take any enforcement action against any PSPs who have not met the requirements of SCA until March 2021.
Interestingly within the same letter the FCA has highlighted a significant concern regarding ‘vulnerable’ and digitally excluded customers. For the digitally savvy among us the using our mobile phones to get a one-time passcode is an easy fix, however, for those of that do not have mobile phones, are vulnerable or live in a mobile black spot it becomes a more pressing issue.
The FCA has noted that not everyone has a mobile phone and as such they expect firms to be able to provide a viable means for authenticating these customers. It is certainly reassuring that this issue has been highlighted but no real solution has been offered by the FCA.
Even those with a mobile phone that live in a network black spot could find themselves being unable to undertake transactions and as such there has to be more than one option for each customer so that they are not forced to attend or call their bank to complete online security checks.
With the advent of Covid-19 everyone is suddenly finding themselves catapulted into a new reality and having to find new ways of undertaking things that were previously straightforward. The FCA is no different.
Some PSP’s were struggling to comply with SCA prior to this pandemic and it has been recognised by the FCA that with the population on lockdown that SCA will also be more difficult to implement. This coupled with the fact that the amount of online transactions will now increase has led the FCA to update their web page on SCA adding in an entirely new section relation to Covid-19 on the 31 March 2020. A link to the web page can be found here: https://www.fca.org.uk/firms/strong-customer-authentication
Within this update they have stated that they expect that the current challenges are likely to affect the planned implementation of SCA and that they will work closely with the industry to agree any changes to milestones and timelines that may be needed.
In addition they have confirmed that they will consider PSP’s that have not met the deadline of 14 March 2021 for the implementation of SCA due to coronavirus on a case by case basis.
As many PSPs will be aware it has been advised that were possible that contactless be used as payment due to the decreased risk of onward transmission of the virus and that there has been an initiative to increase the contactless limit. Ordinarily SCA would apply to contactless transactions where:
The FCA have confirmed in their update that they are ‘very unlikely’ to take enforcement action but this is only as long as the PSP sufficiently mitigates the risk of unauthorised transactions and fraud by having the necessary fraud monitoring tool and systems in place and taking swift action.
This update has no doubt come as welcome news to many firms who now find themselves in financial distress due to the impact of Covid-19 on the economy.
There are a wide range of customers who could be classed as vulnerable, even more so in the current times. The FCA themselves appreciate that vulnerability can come in many different guises. It can be temporary, sporadic or permanent in nature and there is not a one size fits all solution.
Some of the issues that PSPs should be aware of when considering SCA in terms of vulnerability are:
The first issue will be identifying these customers and then offering a solution that works for them.
Most financial businesses will have risk assessments in place to identify vulnerable customers already, however, solutions for the SCA conundrum still remain hazy at best.
The slickest and most secure form of two -factor identification are encrypted push notifications sent to your mobile phone through push notifications via the banks mobile phone app.
It remains unclear what solutions will be considered best and utilised by PSPs. The industry wants to avoid online transactions being abandoned due to people not receiving a passcode or being confused by the extra layer of security. With the deadline looming (which may well be extended given the current events), sensible and pragmatic solutions must be found in order to ensure that the most vulnerable amongst us are not excluded from being able to undertake online transactions.
Contact: If your organisation requires advice on how to approach compliance with the SCA rules, in particular relating to vulnerable customers, please do get in touch.