Let’s talk about Strong Customer Authentication: CP21/3

Share this post

In this blog, Greg James looks at the proposed changes to strong customer authentication (SCA); one of the most contentious regulatory developments introduced by the second Payment Services Directive (PSD2).

The FCA has made a clear effort to alleviate some of the strain on the customer journey, however with new guidance inevitably comes new questions. We have broken down the changes into those that will generate the most conversation and those that are simply explicit confirmations in existing guidance.



Dynamic linking

Dynamic linking has been a consistent spectre over the industry, not only due to technical requirements, but its effect on e-commerce transactions where the final price is not known at the point of authorisation. Due to the requirements of dynamic linking, the customer should only be authenticating the exact cost of the transaction, and if that amount were to change, the payment service provider (PSP) should request reauthentication. This is far from an ideal customer journey, and as such aspects of the market have been pushing back against the requirement, such as the travel industry.

FCA’s proposal of 20% increase on the approved price

The FCA has proposed to allow an increase of 20% on the approved price without further authentication. Apart from the fact that the quoted 20% is seemingly an arbitrary number, picked from thin air, it is welcome flexibility on the rules.

The caveats of the amendment

This amendment is not without its caveats and businesses are expected to make customers aware that the price can increase, receiving the customer’s agreement for any reasonable increase up to 20%. The FCA has not provided guidance on who is responsible for this, however it seems reasonable that this is the merchant acquirer’s role and they may outsource to the merchant in question. We are in the process of seeking clarification from the FCA on which entity is responsible for this disclosure and whether it can be outsourced to the merchant.

Corporate exemption

The FCA explicitly confirms that it wishes to accept the EBA’s opinion that corporate cards are acceptable under the corporate exemption, providing those cards are only available to corporate customers and not consumers. This is a sensible approach, however it does raise questions when balanced against a recent determination by the EBA[1], that the corporate exemption is purely for the payment stage and not the account information stage. The EBA’s decision seems to have misread the market that is utilising the corporate exemption, as account information and payment initiation would typically be a standard package and utterly key to the service offering. It raises further questions on the previous decision around corporate cards, as you can see account balance through ATMs and sometimes online portals, so payment service providers (PSPs) would have to apply controls to stop ATM transactions and remove this functionality.

The position of the FCA here is one that is very unlikely to get market push back, however it goes to highlight the recent determination by the EBA, which should receive market push back. We are encouraging the FCA not to follow the logic applied by the EBA.

Merchant-initiated transaction

The FCA is clarifying that payments initiated solely by the payee rather than the payer are not subject to SCA. In other words, pull transactions are outside of the scope of SCA, providing the payer is not required to take action.

However, when the payer needs to take action or the payment method implies an affirmative action, then SCA should be required – for instance recurring card payments. The payer will effectively be utilising the recurring transaction exemption for this payment flow, applying SCA at the first payment and all subsequent payments will not require further SCA.

Interestingly, this creates a question of whether the FCA would allow, in the circumstance of a recurring payment price increase (such as in subscription services), continued usage of the exemption without further authentication and instead rely on a similar 20% grace as suggested for dynamic linking. Strictly speaking, the merchant should reauthenticate in this instance and the 20% grace proposed for dynamic linking wouldn’t apply as no dynamic linking would be involved with the subsequent payments – the PSP would have to rely on another exemption in this case. We are in the process of seeking clarification from the FCA whether the 20% grace could be applied to a subscription model.

Authentication code

The FCA proposes to affirm the EBA’s position that an element can be ‘reused’ from the log in stage and reapplied at the payment creation stage – meaning only one element is requested at the payment stage (discussed further here[2]). It should be noted that the current FCA guidance is only in relation to payments and is not explicitly extended to exemptions. However, as the FCA is stating that it agrees with the EBA’s reasoning, this should be applied to exemptions; this is due to the fact that the EBA’s rationale is based on elements not having time limits or expiration times thereby allowing reuse, as such this logic should carry on to exemptions. We are currently seeking confirmation from the FCA on whether it considers this logic sound and therefore will clarify the guidance.


Liability for fraudulent transactions

A common theme for this consultation is the FCA’s explicit acceptance of previously issued guidance from the EBA and the European Commission (EC), rather than newly offered guidance, fraudulent transaction liability is one of these. The FCA has agreed with the position of the EC that, in the situation a payee PSP has activated an exemption, then the payee PSP is liable in the instance of fraud. This confirms industry practice and cements the principle that it is not always the payer’s PSP that is accountable, but the PSP that chooses to apply an exemption.

SCA elements

There is still confusion in the market around what constitutes a valid element for the purposes of SCA. The FCA has explicitly accepted the EBA’s interpretation on possession and inherence elements. A possession element can only be considered valid if there is a reliable means of confirming the possession, in other words, a dynamic aspect such as a one-time-passcode (OTP). Additionally, the FCA confirmed the EBA’s position that behavioural biometrics would be considered an inherence element. It should be noted that behavioural biometrics are not commonly used in the market and this aspect will require a bit of fleshing out to determine the level of quality required to be compliant in this area.

Transaction risk analysis

A clarification by the FCA that will have an effect on not just SCA but reporting fraud under the REP017. The fraud rate calculations required under Article 18 of the RTS are only in relation to fraudulent remote electronic transactions for which the PSP is liable. The REP017 however requires all types of fraud, regardless of SCA or whether the reporting PSP is liable. This confirms the fact that PSPs should not simply calculate their Article 18 compliance simply with the REP017, as this will present false figures.



Although many of the changes proposed by the FCA are explicit confirmations on already public guidance, there are nuggets of information most of which are generally positive for the market and will help in not discouraging e-commerce. We have not called for material changes to the guidance, however the call for clarification is essential for the industry as a whole to continue developing their SCA controls.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?