Strong customer authentication (SCA) is a requirement under PSD2 in the EU and in the UK: when a customer initiates a payment or grants access to account data, the process must use at least two independent factors—typically something you know (e.g. password), something you have (e.g. phone or token), and/or something you are (e.g. biometric). This reduces fraud and unauthorized access.

In open banking, SCA is applied during the consent and authorization flow (e.g. when the user is redirected to their bank to approve access). Banks and TPPs must comply with SCA rules; API aggregators handle the technical flow. The Open Banking Tracker glossary and regulation pages cover SCA in more detail.