Fireside chat with Tim Richards and Paul Rodgers on what needs to be done about SCA

The Paypers has sat down with Tim Richards, Principal Consultant at Consult Hyperion, and Paul Rodgers, Chairman & Founder of European payments community, Vendorcom, to find some answers to why, and what needs to be done about it?

Tim: Hi Paul. Last Saturday was the date when PSD2’s Regulatory Technical Standards for Strong Customer Authentication was supposed to be applied. So, what’s happened?

Paul: Hi Tim. Well, it’s not happening, at least not in any sensible way.

Tim: So, give us a bit of background to what was supposed to happen and where we now find ourselves.

Paul: Well, Tim the Regulatory Technical Standards for Strong Customer Authentication were applied in the EU Official Journal on the 13th March 2018; 18 months ago. The basic requirement was for all electronic payments to be two-factor authenticated using something you know something you have or something you are from the 14th September 2019. That gave the payments ecosystem 18 months to deliver the necessary solutions. Of course, the reality was that without the immediate instigation of an industrywide programme, even an 18 month timeframe was never going to be enough to ensure that the market was ready. As it turned out there was very little action - certainly for the first year - and regulators only acknowledged that there was going to be a problem in June this year – three months before the application date!

Tim: So, what is happening now?

Paul: Well, some banks are in the process of introducing SCA anyway, some aren’t. Most merchants won’t introduce it online until other merchants are forced to because it introduces friction into the payments process – which could lead to increased abandonment at the online checkout. We will see a lot of confusion, although not as much as if they’d gone ahead.

Tim: But SCA on 14th September 2019 was written into European law wasn’t it. How can this be delayed?

Paul: That’s very true and the legal application date for SCA remains as 14th September 2019! So, in essence, the legal requirement remains – It’s just that the so-called National Competent Authorities (NCAs) have been granted a period of ‘supervisory flexibility’ by the European Banking Authority during which the rules won’t be enforced. I’d been calling for a transitional period since April 2018 and following more recent pressure from acquirers, processors and retailers, the EBA came to their senses and published an Opinion that – informally – allows national regulators to delay the introduction of SCA – so that’s what they’ve done.

Tim: Why?

Paul: The banks weren’t ready and that cascaded all the way through the ecosystem meaning retailers and the wider merchant community wouldn’t be ready. Most consumers didn’t understand what was going on – either from a cardholder perspective or as a retail customer. Retailers were warning of chaos if they went ahead with all sorts of impacts on ecommerce and general economic activity in the EU. If they’d not made a change, we think there would have been a major problem not just for a few ecommerce merchants, but for the economy as a whole.

Tim: But, as you said, everyone’s had 18 months to prepare and knew about it for at least a year before that. Isn’t that time enough? Why does everyone need more time?

Paul: There are four main reasons – first, the merchant payments ecosystem is way more complex than banking regulators had allowed for and lead times for introducing new technology right across the business and consumer world needs rather more effort than a regulator’s magic wand. Secondly, the regulators didn’t seem to realise that consumers and merchants weren’t covered by the regulation but were critical actors in card payments. Thirdly, it’s because the regulatory advice has been really slow to emerge – the EBA Opinion only came out mid-summer and that provided important clarifications which fundamentally changed the direction so that even those who had been preparing had to backtrack on their efforts. Fourthly, banks and card issuers haven’t communicated well and we hadn’t got a consistent plan for how they will implement SCA, or communicate to consumers or merchants. So, it’s been confusion at every stage!

Tim: Is this just in the UK or is it wider?

Paul: Oh no, it’s Europe-wide. Almost every national regulator we’re aware of has now pushed out the deadline for SCA - most by 18 months. There are some variations in what that means, but largely we’re now looking at a March 2021 deadline. And a good job too, introducing SCA in the run up to the vital Christmas retail period was a disaster waiting to happen.

Tim: But, basically, this still sounds like a mess. Merchants aren’t ready and we’re seeing consumers presented by different SCA experiences from different banks and the new API TPPs are complaining that their user journeys are being ruined by lack of consistency in issuer SCA.

Paul: Yep. On the merchant side the fast track to SCA for cards is 3D Secure and the version that supports the best customer experience isn’t even ready yet. Some merchants are on the new version 2, some on the old version 1 and the majority aren’t on anything at all. And the consumer experience ... well, let’s say it’s sub-optimal. That’s putting it kindly.

Tim: But there are other forms of SCA aren’t there – Apple Pay and Google Pay are basically compliant with PSD2?

Paul: So are you saying the EBA and European Commission’s intention was to boost Apple and Google?

Tim: Well, no, it’s another unintended consequence, isn’t it?

Paul: Yes. The Apple and Google approach is probably closest to the ideal way forward – using a mobile phone together with biometric authentication through a bank app will give the smoothest SCA experience for the greatest number of people, especially if we can link that to behavioural biometrics – keystroke analysis and suchlike. But that’s not really ready for most banks and it would still exclude a lot of people who don’t have or don’t want a smartphone.

Tim: In your view what needs to be done in the next 18 months to solve this?

Paul: The EBA has insisted that banks produce communication plans to bring consumers and merchants on board – which is a start - but as you pointed out earlier, we still don’t have a regulatory position that’s locked down. In general, unless there are significant changes made to the way this is being rolled out, we don’t stand a chance of delivering in 18 months. It’s perfectly clear that by allowing banks to compete on their SCA implementations – actually it’s more like preventing them from collaborating – we’ve ended up with a patchwork of approaches that offer no consistency for consumers or merchants and is preventing any kind of standardisation.

Tim: Yeah. I think of this as like introducing customer authentication at the POS but not mandating chip & PIN – so anytime you approach a terminal you’d have to change authentication method based on Issuer and merchant. So, are there any sensible proposals out there about how to address this? It doesn’t sound like the delay itself is going to solve a lot of the problems.

Paul: In issuing its Opinion in June, the EBA opened Pandora’s box on SCA by allowing each of the NCA’s to decide how best to apply ‘supervisory flexibility’. Whilst they did suggest that there were conditions, saying that it should be on an ‘exceptional basis’, required NCAs to ‘monitor execution’, wanted to see ‘swift compliance’ and achieve ‘consistency across the EU’, only the French and British NCAs have made sensible proposals. The UK’s FCA approach is most robust with UK Finance having been asked to coordinate things. Their proposal is substantive and whilst it doesn’t come close to delivering SCA, it is bringing a more consistent approach around authentication by One Time Passcode issued by banks to cardholders by SMS.

Tim: OK, so we have a rough theory of how this ought to work: regulatory alignment, banks being allowed to come up with common forms of SCA and a roadmap that leads us towards more frictionless forms of authentication. Is 18 months enough to get all that done?

Paul: Well, the French don’t think so, they’re suggesting it’ll be 2022 before things are sorted! The most important thing to focus on is that it’s taken us 18 months to deliver not a lot, so we all need to focus on the challenge ahead and we can at least be well on the way in 18 months’ time. We can get a core, common authentication framework in place and make sure consumers and retailers know what’s expected of them. And that gives us the platform for a genuinely revolutionary program – essentially gold standard customer authentication.

Tim: Do you think it’s all worthwhile? There’s a huge amount of cost and pain involved in making this happen?

Paul: Whilst the regulatory approach to this has been way too prescriptive and should have taken the form of mandates on achieving low fraud levels in electronic transactions through collaboration in the banking and payments domains, it is indefensible that, 15 years after we locked down fraud in face to face payments, we still haven’t sorted out ecommerce and mobile security. The pain will be worth it as the alternative is having an insecure payments ecosystem that undermines confidence in the economy as a whole and exposes the most vulnerable in society.

Tim: Absolutely agree. SCA is necessary, but this has been unnecessarily painful. Anyway, thank you, Paul, that was very illuminating.

Paul: You’re welcome, Tim.

About Tim Richards

Tim manages Consult Hyperion’s digital payments practice where he has specific responsibility for digital payments, open banking and tokenisation projects. He has worked on PSD2 and open banking projects for issuers, acquirers, international payments schemes, fraud solution providers and fintech companies and was specified tokenisation solutions for major industry players. Tim has 30 years’ experience in secure processing systems having worked in the payments, transit and digital identity sectors on solutions as diverse as transit ticketing key management, HCE and mobile payments, ICAO e-passports and travel cards, remote management of multi-application smart cards and, of course, EMV.

About Paul Rodgers

Paul is Chairman & Founder of European payments community, Vendorcom; European Evangelist at the World Wide Web Consortium for the Payments Sector; Mentor at fintech accelerator, Level 39; and Member of the UK Payments Systems Regulator Panel and provided the secretariat for the All Party Parliamentary Group on Payment Systems in the last session of the UK Parliament.

Paul is passionate about the payments industry and the benefits to be gained by driving innovation through collaboration. His work with Vendorcom ensures that all stakeholders in the industry are connected and have access to authoritative, independent information on strategic and innovative developments, standards, regulation and market opportunities. Paul is recognised for his broad perspective on industry matters as well as his independence, authority and pragmatism in dealing with the increasingly complex change that both merchants and solutions suppliers face.