For the last few months, as in previous years at this time of year, we have been heavily involved in a number of exercises focussed on reviewing firms’ compliance with the Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication (SCA-RTS).
This work has covered both the security measures ‘audit’ requirements and, for those firms using the Transaction Risk Analysis (TRA) Article 18 exemption, ‘audits’ of their methodology, model and reported fraud rates linked to the use of this exemption.
The Financial Conduct Authority (FCA) does not define the meaning of ‘audit’ and so this provides an element of optionality as to what standard firms choose for the execution of these ‘audits’.
Based upon our experience to date, firms often refer to the requirement for an ‘audit’, whilst not fully appreciating the options available.