You may have felt it earlier today – a sigh of relief originating from certain parts of the digital payments and commerce industry, a reaction to the news that the Financial Conduct Authority (FCA) has agreed to a phased implementation of the strong customer authentication (SCA) rules.
SCA, slated to begin on Sept. 14 as part of the Payments Service Directive (PSD2), stands as one of the most comprehensive global efforts to bring more security to online payments and eCommerce – while also, at least ideally, reducing the friction that can alienate consumers from merchants, financial institutions and payment services providers.
But a delay is not really a break – it just means more time for important work to be done, and for businesses and regulators to figure out what really works in the SCA space. In a new PYMNTS interview conducted just after the phased implementation was announced on Tuesday (Aug. 13), Karen Webster talked with Rob Eleveld, CEO of identity verification service Ekata, about what comes next.
Eleveld first put Tuesday’s news into context and offered the bigger picture around that FCA announcement – one that he foreshadowed in a PYMNTS podcast in April. “Think about what the delay does, and what the phased implementation does,” he told Webster. “There is starting to be guidance around the interpretation of the (SCA) regulations, and with all that guidance, all the players in the ecosystem are beginning to dial in.”
The phased implementation will give merchants and PSPs time to determine whether their own methods of operating under SCA compliance will indeed work for them while also pleasing regulators.
SCA mandates that some 300 million consumers will need to confirm their identities for most of their online purchases using two of the following: who they are (e.g., a fingerprint), what they have (e.g., a phone) and what they know (e.g., a password).
The phased implementation will span an 18-month period, and “reflects the recent opinion of the European Banking Authority (EBA), which set out that more time was needed to implement SCA given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers,” the FCA said in a press release on Tuesday.
According to the release, the FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA beginning on Sept. 14 “in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan.”
At the end of the 18-month period, the agency expects all firms to have made the necessary changes and undertaken the required testing to apply SCA.
As PYMNTS has covered, the U.K.-based Emerging Payments Association (EPA) published a report on the impact of SCA on the payments experience. The report found that 75 percent of issuers said they would be ready by the Sept. 14 deadline. Yet this meant compliance-ready, not operationally ready. Nearly three-fourths (74 percent) of issuers expected SCA to lead to an initial decline in user experience. Additionally, they predicted that as many as 25 to 30 percent of transactions could be declined in the short term unless a compliance timeline is agreed upon.
Over the next 18 months, Eleveld believes innovations will emerge to challenge the current outlook on SCA compliance and the conventional wisdom around the “who they are” part of the standard.
“There will be new innovations that may or may not meet the standards today, but provide less friction for the consumer and the merchant,” Eleveld said. “I think the industry wants less friction (while also meeting) the SCA requirements.” He added that the phased implementation plan could allow those tools to emerge and find approval among the relevant regulators and ecosystem participants.
Eleveld believes that over the next year and a half, new statistical evidence could emerge in favor of other authentication tools – that is, tools that are being worked on now, but are still too young or untested to play a role in the SCA authentication and security push. That could include a deeper look at using the behavioral traits of consumers when verifying their identities, Eleveld said. Such tools could perhaps offer an alternative to some biometric authentication makers over the longer term.
“If we can figure out a way to score someone on who they are, and do it accurately, why wouldn’t that count?” he asked. “If the score of behavioral activity that someone does online is just as accurate as retinal scanning, why doesn’t that count?”
Plus, he and Webster pointed out, in order for biometric authentication to be useful under SCA compliance plans, those tools need to offer more than just accuracy – they need to be ubiquitous. “You cannot assume that thumbprints will work in India,” Eleveld noted. “There are not a lot of iPhones in India.”
No matter what happens during this new phased SCA implementation, if things go as planned, the effort should deal some significant blows to passwords. But don’t expect much within one or two years, Eleveld cautioned – it might take up to a decade for lasting, meaningful progress, at least on that front.
Of course, it’s all still a work in progress – and tied to a relatively tight deadline. Eighteen months can go by quickly when it comes to securing online ID and authentication while also working to reduce friction in digital commerce and payments. The delay – announced just a month before implementation – also has the benefit of highlighting the importance of SCA, and of persuading laggards into action by demonstrating that the compliance program is moving from idea to reality, Eleveld told Webster.
“Even with this delay, SCA is the real deal, and will be a big part of the digital payments and commerce world going forward,” he remarked.
Now is the time to gain an edge.