UK Mobile Banking Security & PSD2 SCA Requirements
Regulator: FCA / PRA / NCSC
Overview
UK financial institutions must comply with PSD2 Strong Customer Authentication, FCA operational resilience requirements, and GDPR data protection standards in mobile banking applications.
Mobile App Security Requirements
- PSD2 SCA compliance for electronic payments
- GDPR-compliant data collection and consent
- Operational resilience for critical mobile services
- Secure open banking API implementations
Fraud Control Requirements
- SCA with dynamic linking for payment initiation
- Transaction risk analysis per RTS requirements
- APP fraud prevention controls
MASVS Governance Mapping
| MASVS Control | Regulatory Requirement |
|---|---|
| MASVS-AUTH-2 | SCA-compliant authentication flows |
| MASVS-PRIVACY-1 | GDPR consent and data minimization |
Common Violations
- SCA exemptions applied incorrectly
- Excessive personal data collection
- Insecure deep link handling for payment flows
Recommended Protections
- PSD2 SCA flow validation in governance scans
- GDPR privacy impact assessment integration
- Open banking security conformance testing
Frequently Asked Questions
What is PSD2 SCA for mobile banking?
Strong Customer Authentication requires two or more independent authentication factors for electronic payments, with dynamic linking to the transaction amount and payee.
Assess Your Banking APK
Upload your Android APK for a governance assessment mapped to this framework.