The extension of SCA: a sensible move or an unnecessary delay?

The extension of SCA: a sensible move or an unnecessary delay?

James Devoy

EVP for Cyber Risk Services at Sysnet

Views 693

The extension of SCA: a sensible move or an unnecessary delay?

20.02.2020 12:30 pm

Those within the payments industry were thankful when the deadline for migration to Strong Customer Authentication (SCA), under the EU’s second Payment Services Directive (PSD2), was delayed.

Originally meant to come into play on 14th September 2019, the European Banking Association (EBA) has allowed the individual National Competent Authorities (NCA) to provide extensions giving extra time to migrate to SCA authentication approaches, compliant with the EBA’s Regulatory Technical Standards (RTS). On the 15th October an exact length was clarified by the EBA and now the migration deadline is the 31st December 2020, a 15-month extension.

This extension is good news for businesses across the UK as they have some much-needed breathing room to prepare and to fully educate themselves on how this regulation will impact all areas of the payment ecosystem.

A sensible and necessary move for SCA

The extension is a sensible and necessary move. As the 14th September approached, the EBA was forced to recognise the negative impact full enforcement of the SCA could have.

Most industry participants – Payment Service Providers (PSPs; the regulated bodies required to comply), acquirers, trade groups, merchants – had been clamouring about this, they knew that the payments industry simply wasn’t ready for full enforcement of SCA. The risk of disruption - especially to online payment transactions - was too great.

UK Finance, in their Request for a Managed Rollout (subsequently accepted by the UK’s FCA as their plan for a phased rollout of SCA), noted that “more than 75% of merchants” are unaware of SCA requirements, with less than 5% of merchants using 3D Secure 2.x (the technology required for applying SCA for ecommerce and mcommerce payments).

Even if the regulated PSPs (the Card Issuers and Account Servicing PSPs) were ready for SCA, merchant preparedness and consumer awareness was significantly lacking. The EBA’s June 2019 Opinion specifically acknowledged that consumer awareness is vital for SCA’s success.

Recognising the impact of SCA on markets

After the EBA’s June 2019 Opinion was given a decision was made to delegate the migration plan responsibilities to the NCAs. This decision was made because these groups could recognise the impact on their specific markets and plan accordingly. The EBA acknowledged that the extra time needed to become compliant can vary based on the industry and so planned for a flexible approach to the SCA deadline; however, this raised many concerns.

A number of significant trade bodies like the European Association of Payment Service Providers for Merchants (EPSM) and the European Payment Institutions Federation (EPIF) raised concerns over the heterogenous, fragmented approach that the EBA and NCAs were taking. They feared that without a consistent and harmonised implementation of SCA there was a high possibility of the industry at large still not being ready by the new December 2020 deadline.

In addition, another concern is that with the passing of what was a ‘fixed’ September deadline date and a more flexible ongoing rollout, there will be a loss of impetus, of momentum – new regulatory priorities and new business pressures may distract companies from the efforts to fully implement or support SCA. The realisation of the aims of PSD2 – to protect consumers and reduce fraud – may be more gradual and piecemeal.

The EBA took these concerns into consideration in its 16th October Opinion and, with additional information from their own surveys, decided to set a single, common deadline of 31st December 2020. It is shorter than many were hoping; however, almost all NCAs have accepted the date. The UK’s FCA has chosen not to follow this timeframe and is instead sticking to the 18-month deadline originally set out in their Managed Rollout plan. While the French NCA, Banque de France, has committed to a two-step migration plan with a main period of migration until the end of 2020 and an additional 3-month period allowed to address residual special cases. The EBA itself considers that its 15-month deadline provides sufficient time for issuing PSPs, acquiring PSPs and their merchants to migrate to SCA-compliant solutions.

Delayed implementation means greater solutions for all

The enforcement delay and need to revisit SCA implementations is not necessarily a bad thing, as concerns had already been raised about the reduced consumer accessibility and suitability of SCA approaches relying on SMS One-time Passwords (OTP). With the extra time offered by the extension, PSPs can deploy SCA solutions that work effectively/efficiently for all consumers regardless of where they are, whether they have a mobile signal (or even a mobile device at all).

Couple that with efforts to ensure merchant support for SCA and campaigns to raise consumer awareness of the changes – the SCA enforcement delay will help to ensure the greater convenience of available solutions and greater acceptance by merchants and consumers.

Has the complexity of introducing strong customer authentication been underestimated?

On all sides – the European Commission, the EBA, the PSPs, the wider industry – the complexity of introducing SCA for all of the impacted transaction types and channels defined as in scope was underestimated. At a high level the principles and requirements were understood but to fulfil those principles and meets those requirements needed two areas to come together across that whole range of in-scope transactions: on the payments side – identifying those in-scope activities, identifying responsibilities, seeking clarification of interpretation from the EBA on ‘grey’ areas, and coordinating multiple entities across industry sectors; and on the technical and security side – defining and developing solutions to meet the RTS requirements.

The timescale allowed for the implementation of the RTS was ambitious – necessarily so, there needed to be pressure on the industry to drive the change – but at the time the RTS was published there were many unknowns, many questions to be answered (many of which, on publication of the RTS, no one knew they even needed to be asked), many scope implications to be teased out, responsibilities to be defined, technical solutions to be considered and many parties to be coordinated.

In many ways therefore the date was unrealistic from the start, even though the EBA was of the view that the payments industry had plenty of time to prepare and be ready to comply, as September 209 was more than 3 years since PSD2 came into force and a full 18 months after publication of the RTS.  However, by setting a hard date, driving the players in the market to meet it, now we are at the stage where most of those unknowns have been identified, questions asked, clarified and defined. Now is the time for implementation of SCA solutions that actually work across the board of all in-scope activities. We needed the time up till 14th September 2019 and we needed the deadline to get us to this stage.

Latest blogs

Darren Capehorn Icon Solutions

Unbanked and Unconnected: Supporting Financial Inclusion Beyond Digital

Many of us take it for granted, but accessing basic financial services is fundamental to our economic and social development. It is hard to ‘get on’ if you are forced to hide life savings under the mattress, or rely on predatory loan sharks for Read more »

Konstantin Demishev Archer Software

How Machine Learning Helps Fintech Companies Detect Fraud

Machine learning (ML) is one of the most discussed technological tools, and if in the past only a few companies could use it due to high cost and lack of resources, today many industries use ML. The financial sector is not an exception and embraces Read more »

Nish Kotecha Finboot and Bryan Foss, NED, Visiting Professor at Bristol Business School and member of the FRC Audit & Assurance Council

How Listed Companies Can Use Blockchain to Prevent Auditing and Reporting Malpractice and Avoid Scandal

Not too long ago, there was very little to link Wirecard, the disgraced payments platform in Aschheim, Germany, with Boohoo, the fast-fashion online retailer in Leicester, England, but both have recently been embroiled in high-profile scandals. Read more »

Leon Muis Yolt Technology Services

The Time for Financial Services to Become Truly Digital is Now

The financial services industry looks set to change dramatically over the next couple of years in response to COVID-19. The pandemic has certainly highlighted some inefficiencies and weak spots in current processes for many businesses, such as those Read more »

Granville Turner Turner Little

The Lockdown Money Revolution

Many Brits have found that lockdown has been beneficial for their money, having cut back on personal spending and managing to put away some extra cash. According to eToro, Brits with unspent discretionary income are set to accumulate £75.5bn in Read more »

Related Blogs

Lauren Jones Icon Solutions

ISO 20022 – the bedrock for payments transformation

The financial services industry has seen ISO 20022 grow firmly over the last 15 years. What was then a small pocket of countries tackling migration has now become widespread adoption for domestic and international payments. And with momentum Read more »

Paul Marcantonio ECOMMPAY

3 Payment Technologies to Increase Conversion

Though it may seem like everything in the payments space is geared towards boosting conversion, i.e. the amount of times a potential customers completes the intended action of clicking “buy” – and this is indeed the case – I’m here today to tell you Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel