Why does Calmony have to have two-factor authentication to log in and to authorise payments?

This stems from Strong Customer Authentication (SCA) requirements under the UK's Payment Services Regulations 2017 (implementing PSD2).

SCA mandates two or more independent authentication factors whenever a customer:

1. Accesses their payment account online (login)
2. Initiates an electronic payment transaction (payment authorisation)

The regulation treats these as separate "authentication events" requiring independent verification each time. The logic is that compromising login credentials shouldn't automatically grant payment authority.

The FCA enforces this in the UK post-Brexit, maintaining alignment with the EU framework. Calmony and Griffin face significant penalties for non-compliance, which is why we are rigorous about applying 2FA at both stages.