Strong Customer Authentication

You may be familiar with PSD2 – Strong Customer Authentication (SCA) is a new requirement of PSD2.

Freemarket already uses Strong Customer Authentication on the platform, however, as of 14th September, this will be required to add beneficiaries, conduct exchanges and make withdrawals.

All online payments in the EU will require Strong Customer Authentication (SCA). The new requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. The new rules are designed to protect businesses and consumers from fraudulent activity.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a new European regulatory requirement, designed to make paying online more secure, and consequently, reduce payment fraud.

Once SCA is in place, you will need to build additional authentication into your workflow. When a European shopper makes a payment, extra levels of authentication will be required at the time of the transaction.

SCA requires authentication to use at least two of the following three elements:

  • Something the customer knows – (e.g., password or PIN)
  • Something the customer has – (e.g., phone or hardware token)
  • Something the customer is – (e.g., fingerprint or face recognition)

Commencing 14th September 2019, multi-factor authentication will be in place, to increase the security of electronic payments. Banks will decline payments that require SCA and don’t meet this criteria. (If you would like to read the original SCA requirements, they are set out in the Regulatory Technical Standards or RTS.) 

When is Strong Customer Authentication applied?

SCA will apply to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers will require SCA.

Recurring direct debits, on the other hand, are considered “merchant-initiated” and will not require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.

For online card payments, these requirements will apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). (We expect SCA regulation to be enforced in the UK, regardless of the outcome of Brexit.)

Freemarket and Strong Customer Authentication

At Freemarket, we want you to feel safe and secure. As a customer, you will already be familiar with SCA when logging into your account. When SCA is required, Freemarket will send you a code to your registered email address or mobile number to be entered as you login to the application.

Important! Please ensure your credentials are up to date.

Please login to your account and ensure your personal information is correct and up-to-date. Not sure where to find this? See our screenshot below.

SCA for Transactions

SCA will be required when you ‘Create an Exchange with Withdrawal’ or simply a ‘Withdrawal’ transaction.

Once all details have been provided, you will be asked to enter an authentication code. The SCA service will be triggered, and you will receive an email or text with the code – the contents of the message will contain your transaction details and your authentication code to be entered. Once the provided code has been entered and verified, your transaction will be created.

SCA for Sell Exchanges

SCA requires the payment user to provide authentication for an exact amount.

For ‘Sell Exchanges’, Freemarket will request users to authenticate an amount 2% greater than the estimated target value, to ensure the withdrawal funds can proceed without further action or intervention.

Should there be a significant shift in rate and the target value exceeds the authenticated amount, the withdrawal, associated with the exchange will be cancelled. Users will be notified by email and asked to create a new withdrawal, furthermore, you will need to provide authentication for the value of the withdrawal.

What is exempt from Strong Customer Authentication?

The intent of PSD2 is to make SCA a mandatory requirement for ALL online transactions, however, under this new regulation not all transactions will require additional authentication. Specific types of payments may be exempt from SCA, see below for more details:

  • Low-value payments – Transactions that fall under €30 are considered low value and will generally exempt from SCA. However, if the user initiates more than five consecutive low value payments or if the total payments value exceed €100, SCA will be required.
  • API users – If you’re a user via our API service i.e. a corporate entity using our API service to create and transactions, these transactions are exempt from SCA.
  • White Listed Beneficiaries – You have the option to white list a beneficiary, this can either be an existing beneficiary or a new beneficiary – SCA is applied when whitelisting a beneficiary, however, transactions for these beneficiaries is not required.

Working with SCA

The Authentication code will be sent to your registered mobile number or email address. If we do not hold your mobile number, your email address will be used by default.

If you are experiencing difficulty receiving the code, you can request for a code to be resent and you can also opt to use a different delivery mechanism.

Three things that affect your Freemarket account

  • Please ensure that the phone number linked to your account is valid, as the preferred way of 2FA is via SMS.
  • Every transaction where a withdrawal takes place (exchange with chained withdrawal or withdrawal itself) will need confirmation using a different channel than where the payment is created, (i.e. sms or email) unless the beneficiary is authorised (trusted/whitelisted).
  • All existing beneficiaries on your account are not authorised, all new beneficiaries going forward will be created as authorised – requiring authentication only for the authorisation (whitelisting).