The extension of SCA: a sensible move or an unnecessary delay?
As payment professionals, we’re all fully up to speed with the delay of the full effects of Strong Customer Authentication (SCA), drawn up under the EU’s second Payment Services Directive (PSD2).
Originally meant to come into play on 14 September 2019, the European Banking Association (EBA) recently allowed the individual National Competent Authorities (NCA) to provide extensions. On the 15 October an exact length was clarified by the EBA and now the deadline will be the 31 December 2020, a 15-month extension.
This extension is good news for businesses across the UK as they have some much-needed breathing room to prepare and to fully educate themselves on how this regulation will impact all areas of the payment ecosystem.
A sensible and necessary move for SCA
Is the delay good for driving innovative adoption?
The extension is a sensible and necessary move. As the 14 September approached, the European Banking Authority (EBA) was forced to recognise the negative impact full enforcement of the SCA could have.
Most industry participants – PSPs (the regulated bodies required to comply), acquirers, trade groups, merchants – had been clamouring about this, they knew that the payments industry simply wasn’t ready for full enforcement of SCA. The risk of disruption – especially to online payment transactions was too great.
UK Finance, in their Request for a Managed Rollout (subsequently accepted by the UK’s FCA as their planned for a phased rollout of SCA), noted that “more than 75% of merchants” are unaware of SCA requirements, with less than 5% of merchants using 3D Secure 2.x (the technology required for applying SCA for ecommerce and mcommerce payments).
Even if the regulated PSPs (the Issuers and ASPSPs) were ready for SCA, merchant and consumer awareness was significantly lacking. The EBA’s June 2019 Opinion specifically acknowledged that consumer awareness is vital for SCA’s success.
Recognising the impact of SCA on markets
Most national regulators (the NCA’s), also recognising the potential impacts in their own markets, are now offering an extension to full enforcement but many also recognised that in specific industries and use cases a longer extension may be needed. However, the EBA and national regulators’ flexible approach to the SCA deadline has raised concerns.
One is that, as the flexibility of enforcement and acceptance of PSP migration plans has been delegated to the national regulators (Competent Authorities), the delay may lead to an heterogenous, fragmented approach rather than the coordinated Europe wide implementation that could (should?) have been achieved for 14 September.
Another is that with the passing of what was a ‘fixed’ September deadline date and a more flexible ongoing rollout, there will be a loss of impetus, of momentum – new regulatory priorities, new business pressures may distract businesses from their efforts to fully implement or support SCA. The realisation of the aims of PSD2 – to protect consumers and reduce fraud – may be more gradual and piecemeal.
The EBA’s June opinion not only provided an extension to full enforcement (within defined parameters) but also clarified that one of the most common approaches to SCA (reliance on static card data, 3DS2 and a one-time password) did not fulfil SCA requirements. That late-stage clarification in itself made an extension to SCA enforcement for online payments and ecommerce necessary, as PSPs that had chosen this now non-compliant approach to SCA now need to re-design their solution.
Delayed implementation means greater solutions for all
A delay could enable better harmonisation
The need to revisit SCA implementations is not necessarily a bad thing however, as concerns had already been raised about the reduced consumer accessibility and suitability of SCA approaches relying on SMS OTP. With the extra time offered by the extension, PSPs can deploy SCA solutions that work effectively/efficiently for all consumers regardless of where they are, whether they have a mobile signal (or even a mobile device at all).
Couple that with efforts to ensure merchant support for SCA and campaigns to raise consumer awareness of the changes – the SCA enforcement delay will help to ensure the greater convenience of available solutions and greater acceptance by merchants and consumers.
Has the complexity of introducing strong customer authentication been underestimated?
I think on all sides – the European Commission, the EBA, the PSPs, the wider industry – the complexity of introducing SCA for all of the impacted transaction types and channels defined as in scope was underestimated. At a high level the principles and requirements were understood but to fulfil those principles and meets those requirements needed two areas to come together across that whole range of in-scope transactions: on the payments side – identifying those in-scope activities, identifying responsibilities, seeking clarification of interpretation from the EBA on ‘grey’ areas, and coordinating multiple entities across industry sectors; and on the technical and security side – defining and developing solutions to meet the RTS requirements.
I think the timescale allowed for the implementation of the RTS was ambitious – necessarily so, there needed to be pressure on the industry to drive the change – but at the time the RTS was published there were many unknowns, many questions to be answered (many of which, on publication of the RTS, no one knew they even needed to be asked, many scope implications to be teased out, responsibilities to be defined, technical solutions so be consider and many parties to be coordinated.
In many ways the date was unrealistic from the start, but by setting a hard date, driving the players in the market to meet it, now we are at the stage where most of the unknown have been identified, questions asked clarified and defined. Now is the time for implementation of SCA solutions that actually work across the board of all in-scope activities. We needed the time up till 14 September 2019 and we needed the deadline to get us to this stage.
By James Devoy, EVP for cyber risk services, Sysnet
