Online banking

FCA updates guidance on SCA reauthentication exemption for online banking

On March 1, 2022, the FCA updated its SCA webpage to add additional guidance regarding the Strong Customer Authentication (SCA) re-authentication exemption.

This update follows various changes to the Regulatory Technical Standards for Strong Customer Authentication and Secure Communication (SCA-RTS) detailed in the FCA’s November 2021 Policy Statement. a new exemption under Section 10A of the SCA-RTS which, if adopted by Account Servicing Payment Service Providers (ASPSPs), means that customers will not need to re-authenticate when they access their account information through a third-party provider (TPP). Instead, TPPs will be required to obtain explicit consent from customers at least every 90 days.

The policy statement confirms that SCA will continue to be required when customers first decide to connect their account to a TPP service. This ensures that the person authorizing the TPP to access the account on their behalf is the legitimate account holder. A single reconfirmation of consent may apply to multiple Customer Accounts, provided that it is clear that consent is being given for multiple Accounts and that these are specifically identified. If a customer associates multiple accounts with the TPP at different times, it will be the responsibility of the TPP to consider whether to synchronize the reconfirmation of consents across all of the customer’s accounts.

The AMF strongly encouraged ASPSPs to apply the exemption as soon as possible after the entry into force of the amendments to the SCA-RTS on March 26, 2022, with a view to generalizing the exemption by September 30, 2022. She believes that implementing this change will help balance protecting consumers from unauthorized access to their accounts with removing barriers to the continued growth of open banking and promoting competition and innovation. in the area.

The FCA has confirmed that it expects TPPs to be technically ready to reconfirm customer consent under Article 36(6) of the SCA-RTS as soon as possible after 26 March 2022. However, until September 30, 2022, it will not object if the TPPs do not. reconfirm customer consent, provided that SCA is applied at least every 90 days during this period.


Source link