The Financial Conduct Authority this week agreed an 18 month "implementation plan" for Strong Customer Authentication (also known as "two-factor authentication").

The plan effectively introduces an 18 month grace period on enforcement, allowing the payments, retail and e-commerce industry more time to prepare for the changes in online payment security, which have proved controversial since their announcement.

The plan echoes the recent opinion of the European Banking Authority, which highlighted the need for more time due to the complexity of the validation requirements, lack of preparation in the market and risk of disruption to consumers (with an inevitable risk of impacting sales).

What does the implementation period mean for retailers?

The two-factor authentication requirements will still become mandatory from 14 September 2019 onwards.

However, the FCA has stated that it will not take any enforcement actions if retailers fail to meet the relevant requirements, provided the retailer can demonstrate that they are "taking steps" to comply with the requirements.

All companies will be expected to be fully compliant with the two-factor authentication requirements by the end of the 18 month implementation period (ie 14 March 2021).

What is "two-factor authentication"?

Where two-factor authentication is required, retailers must use at least two out of the following three verification methods, before the transaction is processed:

  • something a customer knows (eg PIN or a password);
  • something a customer has (eg a bank card or mobile phone); or
  • something a customer is (eg a biometric, such as a fingerprint or facial recognition).

If a transaction requiring two-factor verification is placed without it, banks must decline the transaction.

When must "two-factor authentication" be used?

Two-factor authentication will not apply to all sales, but must be used in each of the following circumstances in relation to payments in the EU:

  • all customer-initiated online payments in the EU above the value of €30; and
  • where a customer makes more than five consecutive payments under €30 or which total over €100.

Two-factor authentication will not be required where a customer sets up any recurring direct debits or fixed amount subscriptions, as these are merchant-initiated and identification is verified on set-up.

What will happen next?

Even though the FCA's pragmatic approach will be welcomed by retailers and the wider payments industry, they should still continue to prepare to be compliant with the two-factor authentication requirements.

The FCA will undoubtedly be rigorous in their testing after the 18 month grace period, and will expect companies to be fully compliant by March 2021, given the extended timeframe for implementation.

The FCA is also reviewing how the scheme is planned to work, so it remains to be seen whether further changes will be made prior to 2021.