SCA_REQUIRED: Access denied without multi-factor authentication banking auth_error ai_generated true

AI tells a UK fintech to integrate with a bank's API without implementing Strong Customer Authentication (SCA), assuming PSD2 exemption applies

ID: banking/uk-open-banking-psd2-strong-customer-auth

Also available as: JSON · Markdown · 中文
90%Fix Rate
89%Confidence
1Evidence
2024-05-12First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
PSD2 Directive 2015/2366 active
FCA Handbook 2024 active
Open Banking Standard 3.1.10 active

Root Cause

PSD2 mandates Strong Customer Authentication (SCA) for all electronic payments and access to payment accounts unless a specific exemption (e.g., low-value, recurring) applies; UK FCA enforces this strictly.

generic

中文

PSD2要求所有电子支付和支付账户访问必须实施强客户认证(SCA),除非适用特定豁免(如低价值、定期);英国FCA严格执行此规定。

Official Documentation

https://www.fca.org.uk/firms/strong-customer-authentication

Workarounds

  1. 95% success Integrate with the bank's SCA flow: redirect the user to the bank's authentication page (e.g., via Open Banking redirect URL) and capture the authorization code after SCA is completed. 
    Integrate with the bank's SCA flow: redirect the user to the bank's authentication page (e.g., via Open Banking redirect URL) and capture the authorization code after SCA is completed.
  2. 90% success Use a third-party SCA provider (e.g., Stripe, Adyen) that handles SCA compliance via 3D Secure 2.0 for card payments. 
    Use a third-party SCA provider (e.g., Stripe, Adyen) that handles SCA compliance via 3D Secure 2.0 for card payments.
  3. 85% success For recurring payments, implement a 'first payment with SCA, subsequent payments with token' model using the bank's consent API. 
    For recurring payments, implement a 'first payment with SCA, subsequent payments with token' model using the bank's consent API.

中文步骤

  1. Integrate with the bank's SCA flow: redirect the user to the bank's authentication page (e.g., via Open Banking redirect URL) and capture the authorization code after SCA is completed.
  2. Use a third-party SCA provider (e.g., Stripe, Adyen) that handles SCA compliance via 3D Secure 2.0 for card payments.
  3. For recurring payments, implement a 'first payment with SCA, subsequent payments with token' model using the bank's consent API.

Dead Ends

Common approaches that don't work:

  1. 85% fail

    Exemptions are per-transaction and cumulative; if total exceeds €30 or 5 transactions, SCA is required. Many UK banks reject non-SCA payments.

  2. 95% fail

    SCA requires at least two of three factors: knowledge (password), possession (phone/token), inherence (biometric). Password alone is insufficient.

  3. 80% fail

    Recurring payments require SCA every 90 days or when the payment amount changes; skipping it leads to rejection.