top of page

Implementation of Strong Customer Authentication

After more than a year’s deferral, the Financial Conduct Authority’s extension to the deadline for Strong Customer Authentication (SCA) is just around the corner on 14 March 2022. SCA is a requirement of the second Payment Services Directive (PSD2).

Strong Customer Authentication is designed to “enhance the security of payments and limit fraud during the authentication process”. The rules apply to firms that are subject to the Payment Services Regulations 2017, when a payer initiates an electronic payment transaction, accesses their payment account online, or carries out any action that may imply a risk of payment fraud, unless an exemption applies.

The initial deadline of March 2021 was extended to September 2021 in light of the pandemic. The September 2021 deadline was extended by the FCA for card-based e-commerce transactions in acknowledgement of the ongoing challenges and given serious concern about the readiness of the industry.

In short, the new rules mean that a retailer will need to verify the customer’s identity before they can accept an electronic payment. For customers, this will mean that for some higher value or unusual purchases, they will need to provide a one-time passcode or log into their banking app to approve the transaction.

Funeral Plan Providers: New FCA Regulations



AML and Financial Crime Training Course


In particular, firms will need to develop several authentication methods, taking into account their customer base, and given that some customers will not, for example, have access to a mobile phone on which to receive a code.

In customer authentication, there are three main categories of authentication, the inherence factor (something the user is, e.g. biometrics), the knowledge factor (something the user knows, e.g. a password) and possession factor (something the user has, e.g. a code).

Guidance from the Information Commissioner’s Office has paved the way for firms to be able to use behavioural biometric information to aid SCA, confirming that customer consent is not necessarily required to use behavioural biometrics as an inherence factor.

Some types of payments are out-of-scope, including mail or telephone order payments or merchant-initiated transactions, such as direct debit payments. In 2018, the EBA confirmed that SCA is not required for electronic (paperless) Direct Debit mandates, as long as the customer’s bank or payment service provider is not directly involved.

There are some exemptions, allowing payment service providers to choose not to apply SCA including:

  • Contactless payments under £45

    • Where a combination of multiple payments totals less than £130 since SCA was last applied

    • Where there have been fewer than five contactless transactions since SCA was last applied

  • Where the amount of any remote payment is under £25

    • Where a combination of multiple payments totals less than £85 since SCA was last applied

    • Where there have been fewer than five contactless transactions since SCA was last applied

Where fixed recurring transactions and subscriptions occur, and are purchased with a payer-initiated method (e.g. standing orders), then only the first payment will be subject to SCA. SCA must be used whenever the amount changes, or any other amendment is made.

Where an electronic payment represents a low risk, the PSPs can choose not to apply SCA. This means that firms using this exemption must have a good reason for assessing the transaction as low risk. Instances where a transaction would be considered to be low risk include where the fraud rate for that type of transaction is low, where the amount of the transaction does not exceed the Exemption Threshold Value, or where a real-time risk analysis does not identify abnormal spending, unusual information about the payer’s device or software access, malware infection, abnormal payer location, or high-risk location of the payee.

Ensuring the security of payments and controlling fraud in payments is in the best interests of customers and firms alike. Fines issued by the FCA in 2021 for anti-money laundering cases have increased dramatically, with several large-scale cases making up the majority of those fines, including over £260m from NatWest for failing to monitor deposits of a commercial customer, £147m from Credit Suisse for due diligence failings in relation to loans of over £1bn, and £642,000 from Sunrise Brokers for failing to identify risks. This trend is likely to continue in 2022, with Mark Steward of the FCA confirming in April 2021 that the FCA had 42 open investigations into weaknesses in AML systems and controls.

Our online AML and Financial Crime training course takes learners through the basics of Anti-Money Laundering and Financial Crime, covering types of crimes, responsibilities, legislation, fraud and AML expectations, due diligence, reporting and recording. Each online course, priced at just £15, is accessible at the delegate’s convenience, and provides a certificate upon successful completion, allowing firms to track and record each user’s progress.

For large groups, we can offer a simplified enrolment service and pricing, simply email


Conduct Rules Training.png
Corporate Compliance Training

Our online compliance training platform is specially designed for firms looking to book a number of learners on our courses

Stacked Books
Compliance Resources

Our online compliance resources provide all the information you need to know in relation to compliance hot topics.

bottom of page