By Carly Phillips-Jones
On 1 March 2022, the FCA updated its SCA webpage to add further guidance in relation to the Strong Customer Authentication (SCA) reauthentication exemption.
This update follows various changes that were made to the Regulatory Technical Standards on Strong Customer Authentication and Secure Communication (SCA-RTS) detailed in the FCA’s November 2021 policy statement. These changes included the creation of a new exemption under Article 10A of the SCA-RTS which, if adopted by account servicing payment service providers (ASPSPs), means customers will not need to reauthenticate when they access their account information through a third party provider (TPP). Instead, TPPs will be required to obtain explicit consent from customers at least every 90 days.
The policy statement confirms that SCA will continue to be required when customers first decide to connect their account to a TPP service. This is to ensure that the person who is authorising the TPP to access the account on their behalf is the legitimate account holder. A single reconfirmation of consent may apply to more than one of the customer’s accounts, provided it is clear that consent is given for multiple accounts and these are specifically identified. If a customer links several accounts to the TPP at different times, it will be for the TPP to consider whether to synchronise the reconfirmation of consents across all of the customer’s accounts.
The FCA has strongly encouraged ASPSPs to apply the exemption as soon as possible after the changes to the SCA-RTS have come into effect on 26 March 2022, with a view to the widespread adoption of the exemption by 30 September 2022. It considers that implementing this change will help balance the protection of consumers from unauthorised access to their accounts with the removal of barriers to the continued growth of open banking and the promotion of competition and innovation in the sector.
The FCA has confirmed that it expects TPPs to be technically ready to reconfirm customer consent under Article 36(6) of the SCA-RTS as soon as possible after 26 March 2022. However, until 30 September 2022 it will not object if TPPs do not reconfirm customer consent, provided that SCA is applied at least every 90 days during that period.