What is strong customer authentication and why should you care?

The EU is enforcing new rules for online payments on September 14. For creative RegTech and FinTech businesses, the new legislation could present massive opportunities.

Things are about to change in a big way for financial services companies. On September 14, 2019, the EU’s Revised Payment Service Directive (PSD2) will be fully implemented. Parts of the law has already been enforced, but this last part may be particularly problematic for some corporates as it includes the new rules on strong customer authentication (SCA).

These new rules essentially mean companies must take extra care to ensure people are who they say they are. While it means businesses have more regulatory hoops to jump through, it also presents new opportunities to boost their bottom line. “Such a comprehensive regulation as PSD2 can be a game changer for the whole payment industry and can open opportunities for RegTechs in several areas,” says Bianca Achatz, compliance and regulatory expert at kompany, the commercial register company that was ranked as one of the world’s most innovative RegTech businesses in the world on the RegTech 100 2019 list.

But what exactly is PSD2 and SCA? To explain what PSD2 is all about one has to start recognizing that the world is changing. Technology has brought people closer than ever before. Social media platforms like Twitter, LinkedIn and Facebook – which recently announced its own push into the financial landscape with its cryptocurrency Libra – have boosted connectivity.

Professionals can easily communicate with partners across the globe via email, FaceTime, Skype and a plethora of similar options. Similarly, innovative startups, banks and other financial institutions have enabled money to smoothly flow across borders.

However, technology has not only empowered people and businesses. At the same time the digital revolution has created threats to individuals and enterprises. From money laundering and fraud to privacy concerns and hack attacks, the digital space has introduced a many risks too.

And that’s where laws like PSD2 comes in. The law is – just like EU’s Anti-Money Laundering Directive, Markets in Financial Instruments Regulation (MiFIR), the General Data Protection Regulation (GDPR) and similar regulations – part of the EU’s push to protect people and institutions. “What all of them have in common is basically the wish to strengthen consumer protection and to enhance the stability of financial institutions in an ever faster changing technical environment,” says Achatz.

PSD2 is, like the name suggests, an update to PSD1, the EU’s original Payment Services Directive. “The directive not only aims to create an improved payment environment by increasing online payment consumer protection and make EU cross-border payments safer, but also intends to encourage the development of innovative online and mobile payment services,” explains Achatz.

That includes SCA and banks having to provide their application programming interfaces (APIs) to those that request them. “PSD2 will reshape the European money transfer market lastingly as it significantly broadens the geographical scope as well as the services and stakeholders affected,” she says.

The European Commission first proposed PSD2 in June 2013. Over the next two years the law was put together and came into force in February 2016 and has then been implemented in sequences over the following three years.

Now, the final part of the law is planned to come into force in September 2019, meaning businesses need to update their customer authentication methods by then. “With SCA, each customer journey needs to be carefully considered and it’s a major technical challenge to implement, requiring additional fraud checks and proactive transaction analysis,” says Nicole Jaquemet, consultant at Capco, the business and technology management consultancy.

The full scope of SCA is quite technical. However, what it boils down to is that SCA will require users to prove who they are in two out of three ways to make electronic payments. The first is by showing something only they know like a PIN code. The second is something they have. This could for instance be a card or a phone. The third is something they are like a fingerprint. The added protection for customers will be welcomed and, thinking beyond its mandatory implementation, the transaction analysis can also be used to better understand customers and underpin their risk profiles,” Jaquemet believes.

This could benefit companies as 95 per cent of transactions will require an update by September 2019, according to Barclaycard. While banks and the financial services have been rushing to implement the changes, Jaquement believes it could pay off in the end. “[If] banks tackle these challenges strategically, keeping the potential business benefits front of mind, PSD2 promises to deliver valuable new revenue streams,” she says.

PSD2 will also mean other opportunities for the sector. [There] will be an increasing demand for RegTechs specializing in payment security matters,” Achatz argues. “The move towards open banking creates a lot of possibilities for market players and customers, but it comes with a prize. The more payment services are connected to other online services, the higher the customer satisfaction but also the higher the risk of, for example, identity theft or asset takeover. This means that RegTechs addressing the increasing thread of fraud within traditional banking, e-commerce and also the FinTech [and] RegTech industry have good chances to come out as winners in this new environment.”

However, these opportunities come attached with challenges. For starters, PSD2 and its SCA clauses do not exist in a vacuum, but have to interact with regulatory requirements for the financial industry covering AML, compliance, risk and taxes. “This means that whenever a tiny detail is amended, it possibly affects a significant amount of other processes,” she says.

A second obstacle to overcome is how RegTech companies themselves should overcome the massive information waves associated with PSD2. “[RegTechs] often have significantly less people than incumbent financial institutions they can assign to the monitoring of regulatory developments,” explains Achatz. “Also, RegTechs do not have the same advanced access to long standing networks of regulators, competitors, advisors, etcetera, as traditional banks. To build such networks is therefore crucial for RegTechs since PSD2 does not end with simply consuming the legislative materials. To stay ahead of the game they also need to keep up with industry developments and evolving best practice examples, e.g. due to regulatory audit findings.”

And RegTech ventures are not the only ones who may be struggling with compliance – their clients are facing similar issues too. “Even though industry players have until September this year to implement SCA mechanisms it will probably not be enough time for some,” says Achatz. “One reason is that traditional and large financial institutions still have inflexible and slug core banking systems that rarely allow for swift amendments and suffer from bad customer data quality.”

Moreover, the European Banking Authority only published a clarification of how SCA-compliance will actually work in June 2019. “This means that certain details necessary for a full implementation [were] not provided sufficiently in advance,” says Achatz. Because of the short timeframe, many companies have struggled to meet the deadline.

This was something the EU banking watchdog acknowledged in its opinion. Although, it also stated that the authority itself does not have the power to legally postpone an application date and that companies should have had enough time since they were told to phase out existing authentication processes back in 2015. Nevertheless, the regulator stated that it may show leniency in exceptional cases if they work with relevant stakeholder and can show that they have a migration plan in place.

Elsewhere, the UK’s Financial Conduct Authority (FCA) is looking to delay the SCA implementation to March 2021, according to several reports in the beginning of August 2019.

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst


The following investor(s) were tagged in this article.