By James Devoy, EVP for Cyber Risk Services at Sysnet
Those within the payments industry were thankful when the deadline for migration to Strong Customer Authentication (SCA), under the EU’s second Payment Services Directive (PSD2), was delayed.
Originally meant to come into play on 14th September 2019, the European Banking Association (EBA) has allowed the individual National Competent Authorities (NCA) to provide extensions giving extra time to migrate to SCA authentication approaches, compliant with the EBA’s Regulatory Technical Standards (RTS). On the 15th October an exact length was clarified by the EBA and now the migration deadline is the 31st December 2020, a 15-month extension.
This extension is good news for businesses across the UK as they have some much-needed breathing room to prepare and to fully educate themselves on how this regulation will impact all areas of the payment ecosystem.
A sensible and necessary move for SCA
The extension is a sensible and necessary move. As the 14th September approached, the EBA was forced to recognise the negative impact full enforcement of the SCA could have.
Most industry participants – Payment Service Providers (PSPs; the regulated bodies required to comply), acquirers, trade groups, merchants – had been clamouring about this, they knew that the payments industry simply wasn’t ready for full enforcement of SCA. The risk of disruption – especially to online payment transactions – was too great.
UK Finance, in their Request for a Managed Rollout (subsequently accepted by the UK’s FCA as their plan for a phased rollout of SCA), noted that “more than 75% of merchants” are unaware of SCA requirements, with less than 5% of merchants using 3D Secure 2.x (the technology required for applying SCA for ecommerce and mcommerce payments).
Even if the regulated PSPs (the Card Issuers and Account Servicing PSPs) were ready for SCA, merchant preparedness and consumer awareness was significantly lacking. The EBA’s June 2019 Opinion specifically acknowledged that consumer awareness is vital for SCA’s success.
Recognising the impact of SCA on markets
After the EBA’s June 2019 Opinion was given a decision was made to delegate the migration plan responsibilities to the NCAs. This decision was made because these groups could recognise the impact on their specific markets and plan accordingly. The EBA acknowledged that the extra time needed to become compliant can vary based on the industry and so planned for a flexible approach to the SCA deadline; however, this raised many concerns.
A number of significant trade bodies like the European Association of Payment Service Providers for Merchants (EPSM) and the European Payment Institutions Federation (EPIF) raised concerns over the heterogenous, fragmented approach that the EBA and NCAs were taking. They feared that without a consistent and harmonised implementation of SCA there was a high possibility of the industry at large still not being ready by the new December 2020 deadline.
In addition, another concern is that with the passing of what was a ‘fixed’ September deadline date and a more flexible ongoing rollout, there will be a loss of impetus, of momentum – new regulatory priorities and new business pressures may distract companies from the efforts to fully implement or support SCA. The realisation of the aims of PSD2 – to protect consumers and reduce fraud – may be more gradual and piecemeal.
The EBA took these concerns into consideration in its 16th October Opinion and, with additional information from their own surveys, decided to set a single, common deadline of 31st December 2020. It is shorter than many were hoping; however, almost all NCAs have accepted the date. The UK’s FCA has chosen not to follow this timeframe and is instead sticking to the 18-month deadline originally set out in their Managed Rollout plan. While the French NCA, Banque de France, has committed to a two-step migration plan with a main period of migration until the end of 2020 and an additional 3-month period allowed to address residual special cases. The EBA itself considers that its 15-month deadline provides sufficient time for issuing PSPs, acquiring PSPs and their merchants to migrate to SCA-compliant solutions.
Delayed implementation means greater solutions for all
The enforcement delay and need to revisit SCA implementations is not necessarily a bad thing, as concerns had already been raised about the reduced consumer accessibility and suitability of SCA approaches relying on SMS One-time Passwords (OTP). With the extra time offered by the extension, PSPs can deploy SCA solutions that work effectively/efficiently for all consumers regardless of where they are, whether they have a mobile signal (or even a mobile device at all).
Couple that with efforts to ensure merchant support for SCA and campaigns to raise consumer awareness of the changes – the SCA enforcement delay will help to ensure the greater convenience of available solutions and greater acceptance by merchants and consumers.
Has the complexity of introducing strong customer authentication been underestimated?
On all sides – the European Commission, the EBA, the PSPs, the wider industry – the complexity of introducing SCA for all of the impacted transaction types and channels defined as in scope was underestimated. At a high level the principles and requirements were understood but to fulfil those principles and meets those requirements needed two areas to come together across that whole range of in-scope transactions: on the payments side – identifying those in-scope activities, identifying responsibilities, seeking clarification of interpretation from the EBA on ‘grey’ areas, and coordinating multiple entities across industry sectors; and on the technical and security side – defining and developing solutions to meet the RTS requirements.
The timescale allowed for the implementation of the RTS was ambitious – necessarily so, there needed to be pressure on the industry to drive the change – but at the time the RTS was published there were many unknowns, many questions to be answered (many of which, on publication of the RTS, no one knew they even needed to be asked), many scope implications to be teased out, responsibilities to be defined, technical solutions to be considered and many parties to be coordinated.
In many ways therefore the date was unrealistic from the start, even though the EBA was of the view that the payments industry had plenty of time to prepare and be ready to comply, as September 209 was more than 3 years since PSD2 came into force and a full 18 months after publication of the RTS. However, by setting a hard date, driving the players in the market to meet it, now we are at the stage where most of those unknowns have been identified, questions asked, clarified and defined. Now is the time for implementation of SCA solutions that actually work across the board of all in-scope activities. We needed the time up till 14th September 2019 and we needed the deadline to get us to this stage