The extension of SCA: a sensible move or an unnecessary delay?

The extension of SCA: a sensible move or an unnecessary delay?

James Devoy

EVP for Cyber Risk Services at Sysnet

Views 484

The extension of SCA: a sensible move or an unnecessary delay?

20.02.2020 12:30 pm

Those within the payments industry were thankful when the deadline for migration to Strong Customer Authentication (SCA), under the EU’s second Payment Services Directive (PSD2), was delayed.

Originally meant to come into play on 14th September 2019, the European Banking Association (EBA) has allowed the individual National Competent Authorities (NCA) to provide extensions giving extra time to migrate to SCA authentication approaches, compliant with the EBA’s Regulatory Technical Standards (RTS). On the 15th October an exact length was clarified by the EBA and now the migration deadline is the 31st December 2020, a 15-month extension.

This extension is good news for businesses across the UK as they have some much-needed breathing room to prepare and to fully educate themselves on how this regulation will impact all areas of the payment ecosystem.

A sensible and necessary move for SCA

The extension is a sensible and necessary move. As the 14th September approached, the EBA was forced to recognise the negative impact full enforcement of the SCA could have.

Most industry participants – Payment Service Providers (PSPs; the regulated bodies required to comply), acquirers, trade groups, merchants – had been clamouring about this, they knew that the payments industry simply wasn’t ready for full enforcement of SCA. The risk of disruption - especially to online payment transactions - was too great.

UK Finance, in their Request for a Managed Rollout (subsequently accepted by the UK’s FCA as their plan for a phased rollout of SCA), noted that “more than 75% of merchants” are unaware of SCA requirements, with less than 5% of merchants using 3D Secure 2.x (the technology required for applying SCA for ecommerce and mcommerce payments).

Even if the regulated PSPs (the Card Issuers and Account Servicing PSPs) were ready for SCA, merchant preparedness and consumer awareness was significantly lacking. The EBA’s June 2019 Opinion specifically acknowledged that consumer awareness is vital for SCA’s success.

Recognising the impact of SCA on markets

After the EBA’s June 2019 Opinion was given a decision was made to delegate the migration plan responsibilities to the NCAs. This decision was made because these groups could recognise the impact on their specific markets and plan accordingly. The EBA acknowledged that the extra time needed to become compliant can vary based on the industry and so planned for a flexible approach to the SCA deadline; however, this raised many concerns.

A number of significant trade bodies like the European Association of Payment Service Providers for Merchants (EPSM) and the European Payment Institutions Federation (EPIF) raised concerns over the heterogenous, fragmented approach that the EBA and NCAs were taking. They feared that without a consistent and harmonised implementation of SCA there was a high possibility of the industry at large still not being ready by the new December 2020 deadline.

In addition, another concern is that with the passing of what was a ‘fixed’ September deadline date and a more flexible ongoing rollout, there will be a loss of impetus, of momentum – new regulatory priorities and new business pressures may distract companies from the efforts to fully implement or support SCA. The realisation of the aims of PSD2 – to protect consumers and reduce fraud – may be more gradual and piecemeal.

The EBA took these concerns into consideration in its 16th October Opinion and, with additional information from their own surveys, decided to set a single, common deadline of 31st December 2020. It is shorter than many were hoping; however, almost all NCAs have accepted the date. The UK’s FCA has chosen not to follow this timeframe and is instead sticking to the 18-month deadline originally set out in their Managed Rollout plan. While the French NCA, Banque de France, has committed to a two-step migration plan with a main period of migration until the end of 2020 and an additional 3-month period allowed to address residual special cases. The EBA itself considers that its 15-month deadline provides sufficient time for issuing PSPs, acquiring PSPs and their merchants to migrate to SCA-compliant solutions.

Delayed implementation means greater solutions for all

The enforcement delay and need to revisit SCA implementations is not necessarily a bad thing, as concerns had already been raised about the reduced consumer accessibility and suitability of SCA approaches relying on SMS One-time Passwords (OTP). With the extra time offered by the extension, PSPs can deploy SCA solutions that work effectively/efficiently for all consumers regardless of where they are, whether they have a mobile signal (or even a mobile device at all).

Couple that with efforts to ensure merchant support for SCA and campaigns to raise consumer awareness of the changes – the SCA enforcement delay will help to ensure the greater convenience of available solutions and greater acceptance by merchants and consumers.

Has the complexity of introducing strong customer authentication been underestimated?

On all sides – the European Commission, the EBA, the PSPs, the wider industry – the complexity of introducing SCA for all of the impacted transaction types and channels defined as in scope was underestimated. At a high level the principles and requirements were understood but to fulfil those principles and meets those requirements needed two areas to come together across that whole range of in-scope transactions: on the payments side – identifying those in-scope activities, identifying responsibilities, seeking clarification of interpretation from the EBA on ‘grey’ areas, and coordinating multiple entities across industry sectors; and on the technical and security side – defining and developing solutions to meet the RTS requirements.

The timescale allowed for the implementation of the RTS was ambitious – necessarily so, there needed to be pressure on the industry to drive the change – but at the time the RTS was published there were many unknowns, many questions to be answered (many of which, on publication of the RTS, no one knew they even needed to be asked), many scope implications to be teased out, responsibilities to be defined, technical solutions to be considered and many parties to be coordinated.

In many ways therefore the date was unrealistic from the start, even though the EBA was of the view that the payments industry had plenty of time to prepare and be ready to comply, as September 209 was more than 3 years since PSD2 came into force and a full 18 months after publication of the RTS.  However, by setting a hard date, driving the players in the market to meet it, now we are at the stage where most of those unknowns have been identified, questions asked, clarified and defined. Now is the time for implementation of SCA solutions that actually work across the board of all in-scope activities. We needed the time up till 14th September 2019 and we needed the deadline to get us to this stage.

Latest blogs

Otabek Nuritdinov Safenetpay

A strong fintech needs more than just access to funding

  Investors, both private and institutional, are excited about investing in fintechs that are in the payments services business. What are the issues that really should matter to you, as a client? In 2019, institutional investors Read more »

Martijn Bos Holland FinTech

Get your head up in the clouds, it’s good for business

How Digital Transformation is reshaping competition in financial services The message is clear and it’s coming at us from all sides: digitalize now. No business unit seems to be immune to the onslaught of cloud-based, AI-driven, real-time, Read more »

Sonny Aulakh Pure Storage

How to support remote working without compromising productivity

As the need to work remotely continues to impact the daily lives of people and businesses around the globe, it places unexpected demand on IT departments. How do you transition supporting 30% of your workforce to work remotely to 100% in a matter of Read more »

Martijn Bos Holland FinTech

Making it through the rain: Finance in times of turmoil

You’d need to be living on a remote island, without electricity or internet to not be aware of what the world is going through right now – a medical crisis that has spread across the world and disrupted supply chains, goods and services production, Read more »

James Devoy Sysnet Global Solutions

PCI DSS and Remote Assessments

COVID-19 is obviously changing many aspects of daily life. Some will be short term measures to see us all through these times, although I wonder how many will become more permanent fixtures in our lives. The PCI SSC has provided guidance to allow Read more »

Related Blogs

Lauren Jones Icon Solutions

ISO 20022 – the bedrock for payments transformation

The financial services industry has seen ISO 20022 grow firmly over the last 15 years. What was then a small pocket of countries tackling migration has now become widespread adoption for domestic and international payments. And with momentum Read more »

Paul Marcantonio ECOMMPAY

3 Payment Technologies to Increase Conversion

Though it may seem like everything in the payments space is geared towards boosting conversion, i.e. the amount of times a potential customers completes the intended action of clicking “buy” – and this is indeed the case – I’m here today to tell you Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel