Navigating compliance with the Regulatory Technical Standards on Strong Customer Authentication (SCA) has proven incredibly challenging. Not only given the complexity of the rules and the strong level of coordination needed among multiple stakeholders, but also due to unforeseen circumstances brought about by the COVID-19 pandemic, which heavily impacted the original implementation timeframes. The ‘UK Regulatory Technical Standards for SCA & CSC’ webinar is a deep dive into SCA today. Panellists Michelle Plevey (KPMG Payments Director), Stuart Taylor (KPMG Payments Senior Manager) and Andre Mendes (KPMG Payments Manager) discuss the insights, challenges, and good practices for SCA that they have observed during their work with clients.
Key takeaways
- Achieving SCA-RTS compliance demands significant effort. Achieving SCA-RTS compliance involves processing and considering a broad array of rules and regulatory guidance, overlaid with firm-specific nuances related to their digital payment offerings. UK firms need to pay consideration not only to regulatory sources released by the FCA but also widely adopted industry standards
- Regulatory activity has a positive impact customer security. Even during disruptive periods amounting to increased digital payment adoption, the rules have led to positive outcomes, notably in the form of a decrease in the pace of growth of fraudulent events for card not present transactions.
- Common challenges observed across firms include defining scope, reliance on third parties, building a structured compliance matrix, and resilience against people/organisational changes across firms. We note that however that common challenges do not translate into common responses. This is because the approach to compliance with the SCA RTS is largely informed by design choices in respect of in-scope products, digital service channels and selected combinations for two-factor authentication.
- Throughout KPMG’s work with various providers who are subject to the obligations under the RTS, we have observed a number of good practice approaches. These include (but are not limited to) robust compliance traceability with supporting evidence and effective signposting, documenting rationale behind enforcement of SCA or not across all functionalities mapped and evidencing customer journeys from both front-end and back-end perspectives.
- Post-Brexit compliance challenges enter a new era. As local regulators and policymakers work to embrace the opportunity to frame a new approach for financial services regulation and oversight domestically, we expect firms operating at a cross-border scale to face challenges in aligning compliance processes and product features with geographic nuances driven by different policy objectives and regulatory expectations.
Watch the webinar
How can we help?
Our experience within this space is very comprehensive and we work collaboratively with our clients to share our industry insights and good practices. If you would like to discuss how you might implement some of these insights in your firm, discuss other matters related to SCA-RTS compliance and/or how we can support your annual obligations, please don’t hesitate to contact us.