Strong customer authentication: the exemptions explained

In my previous blog, I outlined the basic requirements of the new obligation, brought in under PSD2 (the second Payment Services Directive), for all payment service providers to apply strong customer authentication (SCA) in certain circumstances. SCA has to be applied both when accessing payment account information and when initiating a payment transaction meaning that a customer checking their account and then paying a couple of bills would have to go through SCA multiple times in one session, which is far from ideal on the user-experience scale. To avoid this, you, as a payment service provider (PSP) can apply one of nine exemptions, if circumstances permit.

In this blog, I will explain the exemptions and how they could be used in practice. The exemptions are set out in the third chapter of the regulatory technical standards (RTS) for strong customer authentication and common and secure open standards of communication, which can be found here.

Payment account information (Article 10)

A PSP can allow the payment service user to access information on the balance on the payment account and transactional information as long as:

  • the information provided is no older than 90 days; and
  • the payment service user has, when accessing account information online, been subject to SCA in the previous 90 days.

It’s important to note the stipulation that the SCA has to have been for the purpose of accessing the information online and not, for example, initiating a payment. Also, the 90 day period is specific to the PSP so in the case where, for example, the payment service user was subject to SCA by an AISP, it does not reset the clock for the account servicing payment service provider (the ASPSP, or the PSP who offers the payment account).  

This allows you to at least provide, in certain circumstance, some information to your customer when they have logged in solely with username and password but if they are looking for older information, they will have to undergo SCA. Care must be taken, though, to ensure that the payment service user is not able to access sensitive payment data without going through SCA.

Contactless payments at point of sale (Article 11)

The first contactless card transaction in the UK happened in 2007 and now, according to Worldpay, just more than a decade later, contactless payments have overtaken chip and pin for in-store transactions. The convenience of contactless payments has been secured where the payment is below €50 in value and where either:

  • the cumulative amount of €150 has not been paid by contactless payment since SCA has been last applied; or
  • there has already been no more than five earlier contactless payments.

It is up to you which cumulative option you apply to your users, just so long as you don’t attempt to provide both at the same time. Clearly, exchange rate fluctuations can make this a tricky exemption but the FCA has, effectively, recommended £40 as a threshold (while that remains a sensible figure given the exchange rate). Ultimately, they expect each PSP to take a reasonable and consistent approach so that they don’t confuse their customers.

This exemption is specific to the payment instrument so each card associated with a joint account will have its own limitation.

Unattended terminals for transport fares and parking fees (Article 12)

Where a payment service provider allows customers to make electronic payments for transport fares of parking fees at an unattended terminal, they do not have to apply SCA. Such transactions do not count towards the contactless limits in the Article 11 exemption.

Trusted beneficiaries (Article 13)

ASPSPs can allow payment service users to develop a list of trusted beneficiaries to whom payments can be made without needing SCA. However, SCA must be applied whenever a trusted beneficiary is created or amended and note that a PISP cannot enable a payment service user to create a list of trusted beneficiaries.

Recurring transactions (Article 14)

Recurring transactions must be created and amended with SCA, but future payments are then exempt provided the value of the payment and the payee remains the same amount. This applies to regular payments made for membership fees, donations or subscriptions by standing order. Direct debit and card-based continuous payment authority transactions are outside the scope of the SCA obligations where they are initiated by the payee.

Credit transfers between accounts held by the same natural or legal person (Article 15)

This exemption can be availed of where the accounts are held with the same ASPSP and so allow payment service user to sweep funds from their current account to their savings account, for instance.

Low-value transactions (Article 16)

This exemption operates in the same way as the contactless payments exemption but with lower values – the individual transaction amount of €30 (which was an increase from the originally proposed €10) and the cumulative amount of €100 (or not exceeding five times). The FCA’s opinion on exchange rates carry over to this exemption as well.

Secure corporate payment processes and protocols (Article 17)

This is for PSPs that have a sizeable or solely corporate client base because you must have a separate protocol not available to consumers (natural persons) and you must have transaction monitoring, fraud prevention, security and encryption measures in place. In other words, this can’t be used as a blanket exemption for all corporate clients and will require a bit of work to utilise. The FCA will monitor suitability through your REP018 and if you are intending to use this exemption you must include the operational and security risks in your risk assessment and submit the details to the FCA three months before using the exemption. You will also have to be able to demonstrate that fraud levels are below the reference rate described below.  

Transaction risk analysis (Article 18)

Where the payer initiates a remote electronic payment that the PSP regards as low risk, the PSP can waive the SCA obligations. To qualify for this exemption, though:

  • the transaction must be below a specific value;
  • the PSP’s fraud rate for this type of transaction must be below a specified low level; and
  • the PSP must perform real time analysis on specified factor to confirm the view that the transaction is not abnormal.

PSPs can avail of this exemption without notifying the FCA but if the fraud rate exceeds the low threshold they must report immediate to the FCA. If the fraud threshold is exceeded in two consecutive quarters then the PSP must stop availing of the exemption until the fraud rate gets back to, or below, the threshold.

Exemption number nine is unique in that it is aspirational, if you consider that the card fraud rates for e-commerce fraud ran at an average rate of almost 0.16% in the UK. Since these fraud thresholds are out of reach for most firms it is likely that it will be an exemption that will not be fully utilised come September.

Applying the exemptions

PSPs will have to consider carefully when and how exemptions can be used in their business to minimise disruption but to protect customers and their own business. Compliance teams must work with Ops and Devs teams to make sure the details of the rules are understood and documented into policies and procedures.  

If you require any advice or guidance on SCA and how it relates to your business, please do not hesitate to contact me, or any of the team at fscom. 

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.

Related Posts

CASS Audit

TISA CASS Compliance Survey

Earlier this year, TISA launched a CASS compliance survey in association with fscom, aiming to gather insights on key areas of interest related to CASS

Read More