The SCA effective date deadline of Sept 14th is now clearly visible on the horizon. Most forward-thinking stakeholders are now active in the process of implementing their SCA plans. Central to this process is developing a strategy to take advantage of the applicable SCA exemptions. This article takes a closer look at the SCA Exemption for Corporate Payments (SCA-RTS Article 17). In particular, we provide an interpretation of the rules and explain what steps to take to apply for the exemption. We mainly reference the guidance provided by the FCA - the competent authority in the UK. The key take away is an implied deadline of 13th June 2019. Read on to find out more.
FCA Approach Document
Back in December, the FCA published an important policy statement (PS18/24) entitled: “Approach to final Regulatory Technical Standards and EBA guidelines under the revised Payment Services Directive (PSD2)”. The approach document “confirms the revised Payment Services and Electronic Money Approach Document”. This revised Approach document - available here - is important because, in our view, it is the most comprehensive SCA rules guidance provided by a European national competent authority (NCA).
The main SCA updates appear in Chapter 20 on Authentication. It covers guidance in all areas of SCA which are more or less fully aligned with the EBA’s view.
Focusing on corporate payments, as you may know, the RTS text effectively leaves it up to individual NCA’s whether a process or protocols of a corporate payment service guarantee at least equivalent levels of security as provided by SCA. In other words, in order to apply the Article 17 exemption, PSPs need to show that they have security in place that is equivalent to SCA.
“RTS On SCA - Article 17 - Secure corporate payment processes and protocolsPayment service providers shall be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the competent authorities are satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided for by Directive (EU) 2015/2366.”
Accordingly, the FCA provides guidance on this topic in the Approach Document in Chapter 20 under “Secure corporate payment process and protocols (SCA-RTS Article 17)” from paragraphs 20.57 to 20.63. The FCA describes both the scope and process of applying for the Article 17 exemption.
- para.20.59: “It is also our view that, for example, the use of proprietary automated host-to-host (machine-to-machine) restricted networks, lodged or virtual corporate cards, such as those used within access-controlled corporate travel management or corporate purchasing system, would potentially be within the scope of this exemption.”
- Para.20.60: “In our view, the use of physical corporate cards issued to employees for business expenditure in circumstances where a secure dedicated payment process and protocol is not used (e.g where online purchases are made via a public website) would not fall within the scope of this exemption.
- Para.20.61: “Regulation 98 of the PSRs 2017 requires a PSP to provide us with regular, updated and comprehensive assessments of the operational and security risks relating to the payment services it provides and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks (see Chapter 18 – Operational and security risks). PSPs not applying strong customer authentication under SCA-RTS Article 17 must ensure the processes and protocols not subject to strong customer authentication are specifically included in this assessment. This should incorporate a brief description of the payment service, an assessment of the levels of security achieved and a statement by the PSP that those levels of security are equivalent to those provided for by PSD2. Firms intending to operate under this exemption must provide us with this information by including it in an assessment submitted at least 3 months before relying on the exemption. See Chapter 13 – Reporting and notifications for more detail.
- Para.20.63: “Where a PSP chooses to apply this exemption, one option would be to obtain an annual independent audit of the dedicated payment processes or protocols which demonstrates PSD2-equivalent levels of security, and an annual certified record of the associated fraud rates”
So in summary, whilst there is no formal application process, PSPs need to provide the FCA with a risk assessment and mitigation measures specifically for the corporate payment services to be exempted. This assessment is to be included in the “Operational and Security Risk reporting form” which needs to be submitted annually.
However, this corporate payment risk assessment needs to be provided at least 3 months before the exemption can be applied. The FCA says "PSPs relying on this exemption must submit the required information in this report at least 3 months in advance of the date of the intended use of the exemption". Hence, there is an implied deadline of 13th June 2019 for PSPs to submit the assessment in order to be able to apply the exemption from 14th Sept onwards (the SCA effective date).
Chapter 13 of the Approach document provides further guidance on "Reporting and notifications" and as stated above the report in question is "REP018 - Operational and Security Risk reporting form". In terms of what needs to be included in the report, the guidance given by the FCA refers to content in the FCA official handbook. But ultimately this refers onto the EBA document "Guidelines on the security measures for operational and security risks under PSD2"
The EBA guidelines are detailed but at a high level with regards to risk assessment the guidelines outline the following steps PSPs should take:
- Identify and create an inventory of business functions, key roles and processes related to operational and security risks and map out their interdependencies. This should include an inventory of IT systems and their interconnections with other internal and external systems.
- Classify the identified business functions, supporting processes and information assets in terms of criticality.
- Implement preventive security measures - particularly in terms of access control.
- Implement monitoring, detection and incident reporting criteria, thresholds, policies and processes.
- Continuously update the above and provide written reports to competent authorities.
Note: this is a fairly comparable exercise that is required under GDPR compliance where organisations need to map their data and information flows in order to assess their privacy risks - see EDC article on GDPR here.
Edgar, Dunn & Company can assist PSPs in completing the necessary risk assessment steps and submitting a compliant report to the FCA or their competent authority. Please do get in touch to discuss your situation.
Julia Callejo, an EDC Business Analyst based in the London office, provided additional research and analysis for this article.
The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).