PSD2, SCA And Exemptions To The Extension

There may be extensions to Strong Customer Authentication’s (SCA) rollout this fall — and there may not. And, there may be exemptions granted by the EBA — and there may not. Ekata CEO Rob Eleveld tells Karen Webster why exemptions and extensions point to a larger issue surrounding the second Payment Services Directive (PSD2) regulation.

Sept. 14 will be here before we know it. That’s the date, as is well-known, that Strong Customer Authentication (SCA) will debut, a mandate set forth by the European Banking Authority (EBA) for all electronic payments over 10 euros.

The goals are admirable: namely, to protect consumers and give them more control over their data, to allow FinTechs to innovate, and to bring more security to transactions.

And the deadline, at least at first blush, seems reasonable. It has been known for more than three years, a timeframe that seems to be more than enough runway to prepare systems, consumers and their processes.

But as noted in the latest PSD2 Tracker, only 40 percent of merchants operating in the European Union that are aware of SCA say they are ready for that deadline.

In a conversation with Karen Webster, Rob Eleveld, CEO of Ekata, said that even more worrisome is the fact that 25 percent of merchants are not even aware of PSD2’s SCA requirement. That suggests that a quarter of merchants across the EU could start seeing declines in conversion rates a few months from now — and not know why.

Even this close to the deadline, research suggests that businesses have underestimated the complexity of compliance tools and the exemptions process, or they are unfamiliar with the latest version of the security protocol known as 3D Secure.

Some banks and businesses have lobbied for implementation delays amid the technological complexities involved. In the most recent calls for a time-out, the European Association of Payment Service Providers for Merchants (EPSM) has asked for an 18-month extension on the deadline and a 36-month extension for “challenging applications” that might be found in certain sectors.

The EBA said late last month that there may be extensions in the offing, but only on an “exceptional” basis.

Eleveld told Webster that the EBA’s actions point to the fact that payments represent a complex ecosystem with a lot of players. Naturally, every party in the payments ecosystem is concerned about the changes mandated by SCA, Eleveld said, while wondering what each must do in order to comply.

Eleveld pointed out that against a backdrop of three years’ worth of inertia, payment service providers (PSPs) are looking to merchants and wondering how much hand-holding they require. Merchants, in turn, are looking toward the regulators to provide what Eleveld termed a navigable framework to provide consumer protection, while also protecting their own flanks legally.

“Issuers may be concerned about being disrupted at some level by third-party providers who are enabled by the regulation,” Eleveld explained, adding that issuers have always had a monopoly on approving or declining transactions and have historically had the most data on their consumers.

He noted that the groups most likely to advocate for exemptions — and possibly even extensions — of the deadlines include issuers and merchants, who ostensibly hold the most power in the ecosystem. Those two groups, he said, will require the most effort to get in sync with SCA.

As laborious as compliance may be, any exemptions to the regulations will only prolong the effort.

“The regulators may well have just said, ‘Let’s push the whole thing back,’ because that’s what they do as soon as they grant one exemption,” Eleveld told Webster.

The possible exemptions from SCA also may set in motion a series of unintended consequences, he warned. If the EBA were to grant even one exemption, it would set off a clamor for similar treatment by other payments stakeholders, and lawsuits may wait in the wings.

The September deadline also shows the vagaries of a black-and-white approach to regulation, where all parties are mandated to come into compliance on a certain red-letter date — call it a “big bang date” — when a phased approach would have made more sense.

By way of contrast, Eleveld noted that in the business world, phased integrations of new products and services are common. As he told Webster, PSPs will not integrate Ekata’s offerings or data overnight. They will instead opt to run Ekata’s data in parallel, do a six-month look back and see how Ekata’s data loaded into the PSP’s model would perform against the baseline.

Speed Bumps Loom

Although the consumers may not be pushing back — as Eleveld pointed out, they may not even be aware at present what SCA entails — there may be a number of speed bumps in the road ahead.

As it exists now, SCA mandates that some friction be introduced to the checkout process, where customers must satisfy evidence of something they know (i.e., a password or PIN), an item they have (such as a phone or hardware token) and/or a biometric identifier (i.e., a fingerprint or facial recognition).

“The merchants are going to have to do some education,” Eleveld said.

That education could possibly come in the form of having consumers consent to online documents that stretch across hundreds of pages, or having them check off boxes the first several times they transact under the rules of this brave new eCommerce world.

Introducing such friction into eCommerce has the potential to be a conversion killer, spurring consumers to abandon digital shopping carts.

Companies that stand to gain from SCA will include the likes of Amazon, which has earned a high degree of trust from consumers and could take share from other companies.

Early adopters will include verticals that already have global reach, and businesses like online travel agencies, which will find it easy to integrate European practices into their own company-wide policies.

Challenges, said Eleveld, face companies and sites where customers want to conduct only a single transaction, and, frustrated by the checkout experience, abandon digital shopping carts along with the possibility of longer-lived relationships.

Looking To September

As September looms, might past be prologue? Eleveld observed that the ostensible preparation for GDPR stretched back years, but that a lot of scrambling for compliance occurred at the last minute.

The same events may echo this time around, he told Webster, as preparedness remains low, and perhaps some parties believe exemptions will be in the offing.

Rollouts will be choppy for banks and merchants, Eleveld predicted, with load balancing and latency issues that may escalate through time.

Call it a matter of meeting the letter of the law without meeting the spirit of it. But eventually, a silver lining, as described by Eleveld, may emerge amid growing pains.

As he told Webster, “If Europe figures out a way, which I think they will, to ultimately get this implemented, it is going to influence behavior elsewhere.”