National financial regulators have signalled that they’ll be flexible in policing the implementation of new EU regulations, due to come into force on 14 September, which are designed to tackle payment fraud.
Strong Customer Authentication (SCA), a new regulation for online payments, is part of the EU’s high-profile and far-reaching Second Payment Services Directive (PDS2): a framework requiring banks to open their payments infrastructure and customer data assets to third parties, permitting the development of much stronger customer authentication systems.
SCA will introduce “two-factor authentication”, ensuring that many payments will require people to provide two of three means of verifying their identity: something you have (for example, a card or mobile phone with a passcode); something you know (for example, pin number or password); or something you are (for example, fingerprint or face recognition).
Most in-store purchases will be unaffected, as customers have a card and pin number, and payments below €30 (US$34) are exempt. However, sector experts fear that online purchases could be severely disrupted. Most consumers are unaware of the new rules, and research has suggested that more than three-quarters of retailers are unaware of changes that may be required of them to become SCA-compliant.
‘Limited additional time’ to be allowed
In response to concerns about industry’s preparedness, the European Banking Authority (EBA) announced on 21 June that “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September, NCAs [National Competent Authorities] may decide to work with payment service providers [PSPs] and relevant stakeholders, including consumers and merchants, to provide limited additional time”.
The EBA continued: “This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner. In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.”
The UK’s Financial Conduct Authority (FCA) announced just a week later, on 28 June, that it would be delaying the introduction of SCA rules in the UK. Reports by fintech site BobsGuide last week stated that Germany would also be using this EBA-supported leeway, with Greece another country preparing to do likewise.
Nation of shopkeepers opening late
The UK’s British Retail Consortium (BRC) and other stakeholders had warned that the lack of industry readiness for the 14 September deadline would lead to the failure of 25-30% of e-commerce transactions.
The FCA said on 28 June: “The legal deadline for complying with the Regulatory Technical Standards on SCA remains 14 September. However, the FCA recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this.
“We will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September in areas covered by the agreed migration plan, where there is evidence that they have taken the necessary steps to comply with the plan.”
European ‘transition period’ demanded
At a European level, the European Payment Institutions Federation (EPIF), an association founded in 2011 in response to the adoption of the Payment Services Directive (PSD), welcomed the EBA’s 21 June statement on NCAs granting “a degree of flexibility in the practical implementation of SCA requirements”.
But EPIF says that “migration towards SCA requires significant changes for all participants in the payments industry and they would need sufficient time to implement resilient systems that comply with the new requirements”.
Looking ahead, EPIF said in a statement on 1 August: “We would like to stress that it is important that NCAs align on industry readiness with an agreed Europe-wide roadmap. We believe the payment ecosystem needs a transition period of at least 18 months and perhaps longer for certain sectors and in clearly defined use-cases, with key milestones and clear and consistent metrics.”
EPIF’s statement was co-signed by organisations including corporates such as Visa and MasterCard, and lobby group EuroCommerce. This coalition is calling on the EBA “to reach a consensus on a common European roadmap and a common European deadline before the 14 September”.
Elie Beyrouthy, chair of the executive board of EPIF, told Global Government Forum this week: “We are concerned that Europe may end up with a fragmented landscape if the EBA does not adopt a common roadmap that would cover the 28 EU member states. This is essential to keep a similar customer experience across the EU.”
Ready or not, here it comes
In May, Stripe, a payments infrastructure company, released a study forecasting that Europe could lose €57bn (US$64bn) in economic activity in the first 12 months after SCA takes effect. The report found that three in five businesses with under 100 employees were either unfamiliar with SCA, did not plan on being compliant before September, or were unsure when they will be ready. Larger merchants of more than 5,000 employees had only one in 25 payment professionals unaware.
The findings were based on surveys with 500 qualified payment professionals at online businesses and 1,000 consumers in the UK, France, Germany, the Netherlands and Spain.
Jordan McKee, analyst at 451 Research – which conducted Stripe’s study – said: “SCA is unequivocally the single most disruptive event to impact European digital commerce, and many businesses – especially smaller ones – have yet to fully grasp its extensive impact. Our study indicates low levels of preparedness and, most troublingly, a lack of appreciation for how SCA will transform how European consumers will buy online.”