The final deadline for banks to phase in stronger authentication passed earlier this month. Are the new requirements working for you?
If you have tried to log into your online banking recently, you may have noticed that you can no longer log in using only a username and password or memorable data.
This is because the deadline has recently passed for banks to phase out their older forms of authentication in favour of strong customer authentication (SCA).
Something only you know
The new security regime is designed to identify a customer in at least two of three ways:
💳 Something only you know, such as a password or PIN
💳 Something only you possess, such as a card reader or registered mobile device
💳 Something only you are, such as a digital fingerprint or voice pattern
Low-risk payments, such as direct debits, recurring payments, or low value financial payments are either exempt or require less authentication.
How is it for you?
Many banks are starting to get the right systems in place.
Given the regulator stating it will not enforce the new rules until March 2021, many will only start implementing these between now and the regulator’s deadline.
What is my bank doing to implement SCA?
- Barclays will soon ask for OTPs and memorable words, or PINsentry (card reader or app) codes every time you login (phased).
- Clydesdale and Yorkshire Bank will ask for OTPs via SMS, landline and mobile app or Pin Device authentication.
- Coventry Building Society will introduce SCA via automated phone call this year (phased).
- First Direct will enforce SCA checks for every online banking login at a later date (phased).
- HSBC has asked you to use your digital/physical Secure Key plus password every time you log in since 23 August 2019.
- Lloyds Banking Group (Halifax and Bank of Scotland) will ask you to verify yourself via the app or by entering a OTP supplied via SMS or landline (phased).
- M&S Bank has already implemented SCA for current account logins, with credit cards to follow soon. Later this year, you will able to order a physical M&S Pass if you don’t use the mobile banking app.
- Monzo will ask you to re-verify yourself by entering your Pin or biometric ID (fingerprint) every three months. You’ll also be asked for your Pin when you use a new device.
- NS&I will verify your identity via automated phone call in certain scenarios (phased).
- Nationwide will stop letting you log in using memorable data in favour of card reader logins or OTPs sent via SMS (phased).
- RBS/NatWest customers must use their card readers or enter OTPs sent via SMS for all online banking logins.
- Santander will introduce SCA checks for login in the first quarter of this year, although it will be introducing full entry of a security number soon (phased).
- The Co-operative Bank introduced OTPs sent via SMS/email earlier last year.
- TSB told Which? changes to online banking login are likely to be introduced from 14 March 2020 (phased).
- Yorkshire Building Society has introduced OTPs sent via SMS or automated phone call.
We’re keen to hear if implementing the new security arrangements is causing you any issues with your online banking.
Some have reported already that they’re unable to make payments because they do not have a mobile phone, or they do, but their mobile signal is not strong enough to connect to their banking.
There is also the risk of scammers using the implementation to attempt phishing attacks on online banking customers.

Have you found it difficult to log in with the new security requirements? Do you feel your bank is moving fast enough to implement new security?