# AI tells a UK fintech to integrate with a bank's API without implementing Strong Customer Authentication (SCA), assuming PSD2 exemption applies - **ID:** `banking/uk-open-banking-psd2-strong-customer-auth` - **Domain:** banking - **Category:** auth_error - **Error Code:** `SCA_REQUIRED: Access denied without multi-factor authentication` - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause PSD2 mandates Strong Customer Authentication (SCA) for all electronic payments and access to payment accounts unless a specific exemption (e.g., low-value, recurring) applies; UK FCA enforces this strictly. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | PSD2 Directive 2015/2366 | active | — | — | | FCA Handbook 2024 | active | — | — | | Open Banking Standard 3.1.10 | active | — | — | ## Workarounds 1. **Integrate with the bank's SCA flow: redirect the user to the bank's authentication page (e.g., via Open Banking redirect URL) and capture the authorization code after SCA is completed.** (95% success) ``` Integrate with the bank's SCA flow: redirect the user to the bank's authentication page (e.g., via Open Banking redirect URL) and capture the authorization code after SCA is completed. ``` 2. **Use a third-party SCA provider (e.g., Stripe, Adyen) that handles SCA compliance via 3D Secure 2.0 for card payments.** (90% success) ``` Use a third-party SCA provider (e.g., Stripe, Adyen) that handles SCA compliance via 3D Secure 2.0 for card payments. ``` 3. **For recurring payments, implement a 'first payment with SCA, subsequent payments with token' model using the bank's consent API.** (85% success) ``` For recurring payments, implement a 'first payment with SCA, subsequent payments with token' model using the bank's consent API. ``` ## Dead Ends - **** — Exemptions are per-transaction and cumulative; if total exceeds €30 or 5 transactions, SCA is required. Many UK banks reject non-SCA payments. (85% fail) - **** — SCA requires at least two of three factors: knowledge (password), possession (phone/token), inherence (biometric). Password alone is insufficient. (95% fail) - **** — Recurring payments require SCA every 90 days or when the payment amount changes; skipping it leads to rejection. (80% fail)