What We Think
May 6, 2020
The Extension of Strong Customer Authentication – A Sensible Move
The new PSD2 directive is a fundamental piece of payment legislation in Europe. Through the implementation of EBA Regulatory Technical Standards (RTSs) as formalized through Commission Delegated Regulation (EU) 2018/389, it was to go into effect on 14 September 2019. However, the European Banking Authority (EBA) recommended a period of non-enforcement of SCA measures’ with respect to card-based e-commerce transactions and set the new deadline to 31 December 2020.
The PSD2 regulation drastically impacts the financial eco-system and infrastructure for banks, payment service providers, fintechs, and businesses using payment data for the benefits of consumers. The revised Payment Services Directive 2 (PSD2) aims to better align payment regulation with the current state of the market and technology. It introduces security requirements for the initiation and processing of electronic payments, as well as for the protection of consumers’ financial data. It also recognizes and regulates Third-Party Providers (TPPs) that are allowed to access or aggregate accounts and initiate payment services. This will clearly shake up the payments markets, particularly in the eCommerce space, by encouraging greater competition, transparency, and innovation in payment services. In short, PSD2 aims at facilitating consumer access to their banking data and driving innovation by encouraging banks to exchange customer data securely with third parties.
Who’s ready?
As stated by Finextra, 41% of the 442 European banks part of a survey carried out last year failed to meet the March 2019 deadline. They could not provide a testing environment to third-party service providers. The six month testing period before the September deadline was seen as critical for them to test the APIs that will connect them to banks and also key to pilot new services.
However, at the same time most industry participants – Payment Service Providers (PSPs; the regulated bodies required to comply), acquirers, trade groups, merchants – had been clamoring about this. They knew that the payments industry simply wasn’t ready for full enforcement of SCA. Th risk of disruption, especially to online payment transactions, was too great. A trend was perceived about certain reliance from some banks and financial providers to hand over data to customers, arguing about their compliance and risk scenarios. Their concerns proved to be right. The European Banking Authority (EBA) announcement (so-called Opinion), issued last October, clearly showed that it has acknowledged that various players in the payment chain were not ready for this change. The EBA’s June 2019 Opinion also acknowledged that consumer awareness is vital for SCA’s success.
The new deadline to implement Strong Customer Authentication (SCA) has been pushed back by fifteen months (till 31 December 2020).
Impacts on Banks, Payment Service Providers and Third Party Providers (TPPs)
European payment providers and banks are legally required to enforce SCA for card-not-present payments from December 2020 and are subject to heavy fines or even having their licence revoked for not doing so. Merchants that resist adopting the EMV 3DS (the evolution of 3-D Secure and the preferred SCA solution) requirements are going to suffer a severe loss of transaction volume as their card decline rate for non-3DS authenticated payments rapidly increases. This increase in card declines will culminate at the SCA deadline; at this point a merchant will not be able to process any card transactions without having integrated 3DS. Issuers will not be adopting a risk-based approach to authorization from that data; in order to comply with the regulation all online card payments that aren’t Strong Customer Authenticated via 3DS will be declined without consideration.
As a result, in the last months we have witnessed huge inroads in the achievement of such goals such as recent news from the card giant VISA who transformed its Verified by Visa into a new program for frictionless payments. The new program provides rules and polices that merchants and issuing payment providers have to follow to authenticate e-commerce transactions and verify cardholder identity before a transaction can be authorized. It committed to a number of milestones with the next one happening on 1 July 2020 whereby VISA is introducing an issuer behavioral fee for abandoned EMV 3DS transactions. MasterCard choose a similar date for all parties in the EEA to achieve market readiness for 3DS.
By this time most payment providers have contacted or are in the process of contacting their customers who are likely to be affected to advise of the changes required. As most 3D Secure transactions are handled by the payment provider, merchants who use a hosted payment gateway will be unaffected, whilst merchants using other solutions may require to update their extensions.
Security critical
The core principles of the PSD2 RTS i.e. Strong Customer Authentication (SCA), Secured Communication, Risk Management and Transaction Risk Analysis (TRA), have been maintained, confirming the directive’s security objectives.
To protect the consumer, PSD2 requires banks and PSPs to implement multi-factor authentication for all proximity and remote transactions performed on any channel. It means customers may be asked for two different pieces of information from the following categories when making purchases online as follows:
Smooth user experience
To ensure smooth user experience, PSD2 requests banks and PSPs to put in place security measures that are “compatible with the level of risk involved in the payment service” to find the right balance between security and user convenience.
To simplify life for consumers, the RTS list several situations for which PSPs are not required to perform strong customer authentication. Most of these exemptions are related to low-value payments, repetitive transactions and transactions to trusted beneficiaries.
PSD2 and Open Banking
The move to open banking means removing barriers between competitors as it requires banks to allow their account details and transactions to be shared with third parties through APIs. The Directive hinges on a critical connection between retailers, fintechs, and payment providers. This relationship will be driven by APIs that current service providers need to open to any Third-Party Provider that wants to aggregate account data and/or initiate payment services. On paper – but to some extent already being witnessed – this will bring about more robust collaboration between traditional financial institutions and new players of the banking and payment space.
An enticing opportunity
PSD2 is a customer-centric regulation that should lead to an improved customer environment, brining benefits not only to end-users but to all banking and payment parties. Some of the most enticing benefits include those of adding third-party capabilities to core offerings, capitalizing on consumer behavior and storing consumer preference data, and, making the multi-factor authentication process as easy as possible for the customer.
New customer onboarding will be made easier, offering end-users better tools to manage their finance and enticing them to buy new products and services that can be offered by payment providers, and TPPs. Banks and PSPs will be able to better use financial data to provide competing services at competitive rates. Already, leading payment service providers have started building strong partnerships and open-banking API Hubs, showing how PSD2 regulation can be the perfect tool for more innovation in payment and banking.
The enforcement delay and need to revisit SCA implementations is not necessarily a bad thing, as concerns had already been raised about the reduced consumer accessibility and sustainability of SCA approaches relying on SMS one-time passwords (OTP). With the extra time offered by the extension, PSPs can deploy SCA solutions that work effectively and efficiently for all consumers regardless of where they are or whether they have a mobile signal (or even a mobile device at all).
Coupled with efforts to ensure merchant support for SCA and campaigns to raise consumer awareness of the changes, the SCA enforcement delay will help to ensure the greater convenience of available solutions and greater acceptance by merchants and consumers alike.
Getting there - Now it’s doable
On all sides – the European Commission, the EBA, banks, the PSPs, the wider industry – the complexity of introducing SCA for all the impacted transaction types and channels defined as in scope was underestimated. At a high level, the principles and requirements were understood, but to fulfil those principles and meet those requirements two factors needed to come together across that whole range of in-scope transactions: on the payments side, identifying those in-scope activities, identifying responsibilities, seeking clarification of interpretation from the EBA on ‘grey areas’, and coordinating multiple entities across industry sectors; and on the technical and security side, defining and developing solutions to meet the RTS requirements.
The timescale allowed for the implementation of the RTS was ambitious – necessarily so, there needed to be pressure on the industry to drive the change – but at the time the RTS were published there were many unknowns, many questions to be answered, many scope implications to be teased out, responsibilities to be defined, technical solutions to be considered and many parties to be coordinated.
In many ways, therefore, the date was unrealistic from the start, even though the EBA was of the view that the payment industry had plenty of time to prepare and be ready to comply, as September 2019 was more than three years after PSD2 came into force and a full 18 months after publication of the RTS. However, by setting a hard date, driving the players in the market to meet it, now we are at a stage where most of those unknowns have been identified, questions asked, clarified and defined. Now is the time for implementation of SCA solutions that actually work across the board of all in-scope activities. We needed the time up till 14 September, 2019 and we needed the extended deadline to get us to this point.
Everything seemed to be going smooth this time …. until the world was hit by the COVID crisis which once again questioned the SCA enforcement delays. The EBA published their response to the Coranovirus (COVID-19), which includes a Statement on consumer and payment issues in light of COVID-19, published 25 March 2020. The EBA has stated they will monitor the impact of COVID-19 on the industry’s readiness to implement SCA.
Only time will tell whether the enforcement will happen by the revised date, but one thing is certain; this fundamental piece of payment legislation is here to stay.
PSD2 Compliance: Where do we fit in?
Seed enables financial institutions to meet the challenges raised by PSD2. A dedicated cluster on payments and electronic money supports financial institutions understand and address PSD2 requirements particularly in the area of compliance, governance and risk.
For more information contact Daniel Attard.