Before we all became obsessed with coronavirus; even before we spent our time wondering about Brexit; back when things were simpler for retailers, the EU introduced its Second Payment Services Directive (PSD2) to change how banking and payments worked across Europe in the digital age.
Part of that change was the introduction of Strong Customer Authentication (SCA), which rewrote the rules on how banks authenticated payments being made by its customers online. Much has been written about what this would mean for retail – and yet no one has yet found out.
Due to be enforced by 14 September 2019, the deadline passed and still SCA wasn’t implemented. It was put back to March 2020 – to iron out many wrinkles that had been identified and to allow industry to be ready.
Then COVID-19 happened.
So where are we now with SCA and what does it mean for retailers?
On 30th April 2020, the UK’s Financial Conduct Authority (FCA) took pioneering action to reflect the market impact of Covid-19 on the payments ecosystem by confirming that the enforcement date had been further delayed to 14 September 2021. In its words “to minimise potential disruption to consumers and merchants, we are providing the industry an additional 6 months to implement strong customer authentication (SCA) for e-commerce. The new timeline of 14 September 2021 replaces the previous 14 March date”.
In recent months, the UK Finance SCA Programme Management Office has worked tirelessly to understand the state of readiness of all stakeholders in the payments world and evaluate the likely impact of Covid-19. I commend the FCA’s continued engagement with the banking and payments community as well as their willingness to communicate clearly and publicly. Their approach is in stark contrast to that of the EBA.
It is worth replicating the FCA’s announcement here as there is no better way to convey the current position and what the response of all stakeholders should be.
Given the impact of the Covid crisis, we have decided to give the industry an additional 6 months to implement strong customer authentication (SCA) for e-commerce, by a revised date of 14 September 2021. This will minimise potential disruption to consumers and merchants.
We previously announced that the European Banking Authority (EBA) accepted that the FCA and other National Competent Authorities may give some firms extra time to implement SCA. EBA’s decision was in response to concerns about industry readiness to apply SCA to e-commerce card transactions, and to minimise potential disruption to consumers and merchants.
We expect UK Finance, as coordinator for the industry coordinating role, to discuss a detailed phased implementation plan and critical path with all stakeholders and agree it with the FCA as soon as possible. In the meantime, firms should continue with the necessary preparatory activities such as robust end-to-end testing.
Firms are required to take all necessary steps to comply with the revised detailed phased implementation plan and critical path to avoid the risk of enforcement action.
After 14 September 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action.
Speak to your trade association and UK Finance to get more information on the agreed plan. We strongly encourage all firms to cooperate and engage with wider industry efforts to coordinate implementation of SCA in line with the plan.
In the meantime, firms need to continue to take appropriate steps to manage their fraud risk. We encourage them to be open and transparent with consumers and merchants to minimise the risk of unexpected disruption to payments.
Our agreement not to take enforcement action is meant to avoid unintended consequences for consumers and merchants. We expect:
Having been involved in the UK Finance SCA PMO Steering Group and the Financial Conduct Authority SCA Monitoring Forum discussions over the past two months, I am pleased that this clear statement has been made. It will bring helpful guidance to the many companies who are now focused on coping with the Coronavirus pandemic and supporting merchants at this very difficult time.
The delay also provides a further opportunity to rethink the continued misguided insistence by banks that One Time Passcode by SMS should be the primary factor in SCA. In recent Vendorcom forums, we have explored the exclusionary nature of SMS due to the poor state of mobile networks in Europe and the lack of security due to SIM swapping.
Regulators could also usefully use the next 500 days to align the pan-European response and ensure a common technical approach that will provide one, simple, baseline solution that can be more easily implemented and communicated to cardholders and consumers alike.
I eagerly, but with no great sense of a positive outcome, await the response from the EBA who last made a public pronouncement on this subject on 16th October 2019. Their continued distance from the realities of the merchant payments sector is astounding and only serves to underscore my previous impressions of a regulatory authority operating at odds with reality.
The biggest challenge facing the sector now is that the EBA seems to have learnt little from the experiences of 2019 and is continuing to demonstrate its complete lack of market empathy. Living in its apparently Covid-19 free cocoon and having made no public statement on SCA for over 200 days only serves to emphasise its remoteness and irrelevance in payments.
If only the National Competent Authorities (NCAs) could build on their collaborative ability and appeal to the European Commission to intervene, perhaps we could find a way through this ridiculous situation. In the absence of such an approach, the best we can hope for is for each NCA to define what is best for their own national markets and use their increasing proximity to the key influencers in payments to redefine the e-commerce identity and authentication landscape.
Of course, this will have a dramatic effect on cross-border trade and the European digital single market will be undermined – but perhaps this will provide the Commission with the justification for stepping in to save the European economy from the worst excesses of a remote and ill-informed regulator.