Strong Customer Authentication RTS - FAQs
- Posted on: 30 April 2019
Regulation 100 of the Payment Services Regulations 2017 comes into effect on 14 September 2019, requiring all Payment Service Providers operating remotely to issue payment instruments to authenticate instructions. This will affect all account service and payment service providers and anyone else involved managing remote electronic payments.
Here are answers to some of the common questions we are asked. You might also like to view our webinar which will help you understand the requirements of the Regulatory Technical Standards for Strong Customer Authentication: translates the requirements; explains who is affected and how; and the actions that need to be taken to remain compliant.
We are an Electronic Money Institution – does the RTS apply to us?
The RTS applies to all Payment Services Providers. If your customers can give payment instructions remotely (by phone, fax, e-mail, text, online etc.) you are required to apply strong customer authentication, unless one of the exemptions applies. If your customers can view their payment accounts online then they must be able to do so through an Account Information Service Provider (AISP). If they can give payment instructions online then they must be able to do so through a Payment Initiation Service Provider (PISP).
We already use a 'one time password' to authenticate instructions. Will this be enough?
It depends. If the password authenticates the amount and beneficiary as well as the customer’s identity, it will be fine. If not, you will need to update your system.
We are a small firm, and our customers contact us by phone. Our staff recognise the voices of the customers. Will this be enough?
I’m afraid not. While voice recognition could be classed as something the customer is (inherence) it is not proof in itself, and in any case one of the other elements, possession or knowledge would be needed. It may be possible to use one of the exemptions, and we recommend you take professional advice in this regard.
Can we get a waiver from the FCA?
No. The Payment Services Regulations do not give the FCA any waiver powers.
While we offer online banking, the process once a payment instruction has been received is a manual one, and payments are only made during office hours. Do we need to change this?
No, the requirement is only to offer customers the same service through an AISP or PISP that they would get accessing their account directly with you.
Will introducing strong customer authentication mean any change in my permissions?
If you are a payment institution and you don’t have the “issuing payment instruments” permission, you will probably need to add it. We would be happy to provide advice, please do get in touch.
What is the impact of not complying?
The FCA has the power to impose fines, publicly censure or in extreme cases cancel the authorisation of a firm. The officers of the firms could, also, be held personally responsible and fined.
The Payment Services Regulations also say that if the payer’s Payment Services Provider does not use strong customer authentication as required, the customer cannot be held liable for an unauthorised transaction unless they acted fraudulently.