Strong Customer Authentication: 18 months on

Strong Customer Authentication (SCA) is a set of rules that changed how a consumer confirms their identity when making purchases online. This could mean their bank or provider using a number of tools to verify a purchase or mobile banking login such as a passcode via text message, receiving a phone call to a landline, a card reader or using an app on a smartphone.

SCA was fully introduced on 14 March 2022 to help further reduce fraud. With increasing amounts of purchases being made online, these rules provide the extra protections necessary to ensure that customers are safe when purchasing online and their money is better protected. For that reason, the implementation of SCA for e-commerce transactions was critical as it represented a key tool in the industry's fight against fraud.


Since the first draft of the European Banking Authority’s (EBA) Regulatory Technical Standards (RTS) on SCA were published in February 2017, UK Finance led and supported several discussions to clarify how the rules should operate in practice, including managing an industrywide implementation programme in collaboration with KPMG. KPMG had this to say:

“The KPMG Payments team working with UK Finance members and wider industry to embed changes to the e-commerce payments ecosystem was a significant undertaking and one that the whole industry came together to make a success.”

This was a great example of industry experts from the banking and retail sector pulling together and making SCA a success. A useful illustration was that in 2019 some user groups predicted a decline in successful completion of e-commerce transactions in the region of 20-25 per cent as a direct result of these new rules. The reality, as at the implementation date, is that figure constituted just 0.5 per cent of transactions requiring resubmission. One year on, this number has reduced further still due to the industry collaboration.

Optimising user experience

To improve consumer experience, the first generation of 3D Secure, known as 3DS1, was decommissioned on 14 October 2022 by the card schemes. The newer version, 3DS2, unlocks greater potential, offers consumers a choice of authentication options, further enables exemptions and optimises mobile devices. Global payments had this to say:

“Global Payments welcomes the introduction of EMV 3DS into the market. The latest iteration of 3DS brings significant enhancements in the acceptance experience for cardholders, and a greater level of transparency to combat fraud, while at the same time allowing more transactions to be completed successfully without the friction of additional passwords.”

Payments are key to our e-commerce economy with over 50 per cent of online purchases spent on groceries, clothing and other household items across the UK. Our recent Annual Fraud Report confirmed that consumers value choice in the way they access goods and services. More notably the report highlights that remote purchase fraud has declined to its lowest levels since 2015, a direct result of these rules.

Looking ahead

Since the implementation of SCA, the regulatory landscape for payments continues to evolve. Earlier this year UK Finance responded to HM Treasury’s review and call for evidence on the Payment Service Regulations 2017. Our response calls for a natural evolution of the regulation to take stock of current and future needs, including requirements for Open Banking and Cryptoassets.

At EU level, we are starting to see PSD3 and their Payment Services Regulation taking shape and there are similarities. For example, both jurisdictions are proposing merging regulatory requirements for payment services and electronic money services; both jurisdictions continue to explore ways to further enhance Open Banking and a framework for Open Finance.

While not by design, these similarities ensure that the UK maintains its position as a leader in the global financial market and provides the conditions for continued market access.