AI告诉英国金融科技公司集成银行API时无需实施强客户认证(SCA),假设PSD2豁免适用
AI tells a UK fintech to integrate with a bank's API without implementing Strong Customer Authentication (SCA), assuming PSD2 exemption applies
ID: banking/uk-open-banking-psd2-strong-customer-auth
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| PSD2 Directive 2015/2366 | active | — | — | — |
| FCA Handbook 2024 | active | — | — | — |
| Open Banking Standard 3.1.10 | active | — | — | — |
根因分析
PSD2要求所有电子支付和支付账户访问必须实施强客户认证(SCA),除非适用特定豁免(如低价值、定期);英国FCA严格执行此规定。
English
PSD2 mandates Strong Customer Authentication (SCA) for all electronic payments and access to payment accounts unless a specific exemption (e.g., low-value, recurring) applies; UK FCA enforces this strictly.
官方文档
https://www.fca.org.uk/firms/strong-customer-authentication解决方案
-
Integrate with the bank's SCA flow: redirect the user to the bank's authentication page (e.g., via Open Banking redirect URL) and capture the authorization code after SCA is completed.
-
Use a third-party SCA provider (e.g., Stripe, Adyen) that handles SCA compliance via 3D Secure 2.0 for card payments.
-
For recurring payments, implement a 'first payment with SCA, subsequent payments with token' model using the bank's consent API.
无效尝试
常见但无效的做法:
-
85% 失败
Exemptions are per-transaction and cumulative; if total exceeds €30 or 5 transactions, SCA is required. Many UK banks reject non-SCA payments.
-
95% 失败
SCA requires at least two of three factors: knowledge (password), possession (phone/token), inherence (biometric). Password alone is insufficient.
-
80% 失败
Recurring payments require SCA every 90 days or when the payment amount changes; skipping it leads to rejection.