It was all going relatively well. In November 2017, the European Commission notified Member States that the revised Payment Services Directive (PSD2) would apply from January 2018 – with a cornerstone measure, Strong Customer Authentication (SCA), to follow suit in September this year.
As the Commission explained, SCA would require consumers carrying out web-based, remote transactions – for example, card payments or credit transfers from online banks – to have in place at least two of the following identity elements:
“Banks and other payment service providers (PSPs) will have to put in place the necessary infrastructure for SCA,” the Commission noted. “They will also have to improve fraud management. Consumers and merchants will have to be equipped and trained to be able to operate in an SCA environment.”
In June this year, the European Banking Authority (EBA) published an opinion providing greater clarity on which sorts of authentication procedures it would consider to be SCA compliant.
Acknowledging “the complexity of the payments markets across the EU and the challenges arising from the changes that are required”, the EBA pitched its opinion as a helpful ready reckoner to assist market preparedness.
While the regulator stressed that it didn’t have the power to postpone application dates set out in EU law, it nonetheless left Member States with a degree of “supervisory flexibility” to phase in SCA, as long as they could prove they had a “migration plan” in place.
On 13 August, the UK Financial Conduct Authority (FCA) pounced on that opportunity, delaying SCA by 18 months.
Reading between the lines, the FCA had concluded that UK preparedness was simply not in the right shape for it to enforce SCA from the application date of 14 September following representations from a number of industry groups and surveys, including one by MasterCard of small merchants, showing only 42% felt they would be ready by the deadline.
Selling its fallback position as a “phased implementation”, the regulator said it had “agreed an 18-month plan to implement SCA with the e-commerce industry of card issuers, payment firms and online retailers”.
It noted: “The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan.
“At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.”
No. But interestingly, on 12 August – the day before the FCA announced the delay – British Retail Consortium (BRC) head of payment policy Andrew Cregan published a lengthy column at industry journal The Paypers, giving insights into his sector’s struggles with the laying the necessary groundwork.
Warning of what was, at that point, an “approaching cliff edge”, Cregan wrote: “Many businesses lack awareness of the changes that SCA will bring to payment processes, and the absence of a UK-wide consumer communications plan, such as the one that supported the rollout of chip-and-pin in 2006, is cause for concern.”
He said: “So far, merchants have been advised to discuss SCA readiness with their acquirers and bank equipment manufacturers and to have a version of [anti-fraud protocol] 3D Secure in place for online transactions – but further, more detailed communication, is lacking.”
Cregan added: “Any communications plan has been stalled by a lack of clarity and consistency emanating from UK payment system providers on the technical infrastructural upgrades required, the application of SCA exemptions for certain transactions, and the detail of how important solutions like 3D Secure will be employed.”
In the interests of protecting his sector’s finances, he pointed out that the costs of anti-fraud solutions are a further issue for end users of the payment system.
Use of 3D Secure, he pointed out, is likely to come at an additional cost to merchants – and there are concerns that industry confusion over SCA will enable vendors to upsell inappropriate solutions.
Cregan stressed: “We are calling on the FCA to deliver a managed rollout of SCA in the UK, involving a two-year enforcement moratorium – or non-active supervisory period – that provides the breathing space to ensure readiness.”
Responses varied widely. Banking industry trade association UK Finance – which had also strongly called for a managed rollout – was upbeat.
“Today’s FCA plan, which supports our proposals… will help the industry ensure a timely migration to SCA and result in the best outcomes for consumers, while effectively balancing both convenience and security,” said its personal finance chief Eric Leenders.
He added: “The banking and finance industry has worked closely with the FCA, retailer groups and other stakeholders to deliver these required changes in a way that minimises any disruption for consumers and businesses. We want to ensure that the convenience of making an online payment is balanced with these increased security standards.”
However, Jason Tooley – chief revenue officer at authentication software firm Veridium – was less impressed, blasting the “unacceptable length of the delay”.
He said: “It is disappointing to see such resistance from the financial services sector towards integrating SCA into its services. Financial institutions and PSPs have had nearly two years to prepare since the initial announcement, and there is no valid excuse for the delay in its enforcement apart from an unwillingness to participate.”
He added: “While it is true that consumers will see minor changes to their day-to-day spending, the additional layer of security on higher-value payments will enable them to benefit from safer and more innovative electronic payment services.
“The impact on consumers must not be overlooked by the lengthy delay in enforcement. SCA will mean consumers are more confident when buying online – not act as a deterrent to sales, as some have incorrectly suggested.”
In all, more than half of EU Member States – including Luxembourg, Spain, Portugal, Italy and Ireland.
For the EBA’s full Regulatory Technical Standards on SCA under PSD2, click here.
Matt Packer is a freelance business, finance and leadership journalist