What are the next steps for SCA following postponements to compliance deadline?

Postponements to strong customer authentication (SCA) was the right decision, but regulators must make it clear there will not be a second opportunity for meeting compliance, according to Michael Sass vice president, market product management, security solutions, Europe at Mastercard. 

The official deadline for PSD2 SCA is 14 September 2019; however, the European Banking Authority has now given national competent authorities (NCAs) the power to change this date. Despite it receiving waves of questions around compliance and market preparedness, the EU regulator believed enough time had been given for meeting compliance and chose not to alter the deadline. Instead, it gave the NCAs the power to just change the implementation date as they saw fit.

Several of these bodies have taken it upon themselves to hold-off SCA implementation. The UK’s Financial Conduct Authority is one of them, having stated it could see the deadline pushed back a further 18 months. The Central Bank of Ireland is yet another to seize upon the opportunity and will not be enforcing the regulation on September 14.

Other regulators have not gone for a blanket approach to the postponement. Germany’s Federal Financial Supervisory Authority (BaFin) has only chose to suspend compliance for online payments with credit cards. Its reasoning was that card issuing payment service providers in the country are well prepared, while “substantial adjustments” to the credit cards space is still needed.

Mastercard’s vice president Michael Sass believes the move from the EBA is a welcome one as the market is clearly not 100 per cent ready. It is likely many other NCAs will take suit and delay implementations. However, there are still risks of deferring the deadline, namely, complacency. He said, “The downside of grace periods is that it removes the pressure to do something.”

SCA was initially outlined in 2015 and has already delayed the deadline 18 months from its original implementation date. The regulator even stated it has not issued an official change due to the market having already had enough time to prepare. This begs the questions of whether companies are taking the regulation seriously or just put it on the backburners and only giving it attention when time was running out to implement the necessary procedures.

“I guess what will now happen is that the regulators will actually confirm these grace periods just like the UK and the Irish have already done, but at the same time they should be clear about the consequences that banks will face if they do not meet SCA, when the grace periods end. So, I think it must be made clear that this is a one-time opportunity to get more time. There will not be a second opportunity like that and PSD2 will be strongly enforced after the grace period ends. I think that is an important message that we’ve covered in authorities and they want to raise.”

How strong regulators and enforcers come down on those that fail to meet compliance is still to be seen. When you look at other recent widespread regulations, like the general data protection regulation (GDPR), you can see how fines could get quite hefty.

The regulation entered the market 25 May 2018 and the penalty for compliance failures is up to 4 per cent of a company’s total global turnover. There have been several high-profile fines, most notably British Airways which was fined £183m by the UKs FCA and Google which was penalised €50m by France’s CNIL. While the number of fines has been increasing, it took some time for them to begin being dished out. Regulators appeared to give companies time to adjust, but after so many delays on SCA, it’s not likely to be the case.

If there is going to be little leeway given to those which fail to meet SCA compliance, firms really need to ensure their systems are ready. But why has there been such difficulty in making the changes for this regulation? Sass believes the reason is simply because there are so many changes which need to be completed to make it work.

In order to meet compliance, merchants need to make use of a technology stack called 3D-Secure (3DS) or 3DS2, an updated version. The technology is a system designed to help lower instances of online fraud by ensuring a cardholder’s bank verifies the shopper when making a sale. However, the first version of this system does not support certain technologies like in-app transactions. 3DS2 improves on the original system by leveraging more than 100 data points to authenticate players in the background and be used across broader systems, like mobile devices, and use services like biometrics.

Biometrics is one of the technology pieces which will see a big increase in popularity after SCA, as it is so convenient when using devices like smartphones. Sass stated that when a consumer has this technology available to them on a device, the majority of customers use it instead of faffing around with one-time passwords. Implementing this technology is not as easy for smaller merchants which make just handfuls of transactions a week.

He added, “They also to need to invest in fact in changing their checkout process. Big merchants are doing that already so that is not a problem, but there’s a long tail of small merchants which are not. Some estimates say that there are probably a million or so ecommerce merchants in Europe alone, and many of these would probably only have a few transactions a week. So, we need more time because some of them may not have heard of PSD2 and may find investments high to add improve their checkout process. I think that’s why it was wise that the regulators are giving the industry more time.”

Time also needs to be put on ensuring the customer experience is as smooth as possible. A study from Stripe found that over half of online shoppers will abandon a transaction if there is a bad checkout experience. Sass believes that this all makes it hard for smaller merchants to get prepared for the deadline as they do not have as much capital to throw at the issue.

Having extra stages for authentication at online payments could cause consumers to drop off. But if consumers are educated on why it is needed, then they may take to it more warmly.

He said, “I think when consumers are told why they are being asked to authenticate and if they’re given security as a reason, they will not find that necessarily unpleasant or annoying. If the user experience is good, and they are explained that this helps reduce fraud and address the security concerns, then they will do that quite happily.”

 

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.