Deep Dive: How Banks and Payment Providers Are Addressing PSD2 and SCA Complications

An almost unfathomable amount of money crisscrosses the globe each year, with $156 trillion expected to move across borders annually by 2022.

These payments include everything from multibillion-dollar corporate acquisitions to migrant workers’ small-value remittances, yet they all share the same burden of authentication. Each transaction must be scrutinized to ensure it is not borne from fraud or other schemes, as criminals often attempt to conceal the sources of their funds by funneling them through other countries.

Governments around the globe are taking steps to curb this fraud and money laundering, with some of the most sweeping changes coming courtesy of the EU’s revised Payments Services Directive (PSD2). The regulation institutes a new wave of authentication and verification requirements for all payments, including those that cross borders. It mandates strong customer authentication (SCA), abolishes surcharges on most consumer credit or debit transactions and reduces individual consumer liabilities or unauthorized transactions.

Banks, payment processors and other payments players now are scrambling to achieve compliance before SCA takes full effect in March. The following Deep Dive explores why meeting the regulation’s requirements can be a tall order and how businesses across the continent are rising to the challenge.

PSD2 and Its Authentication Challenges

Payments authentication can be a complicated affair even for domestic transactions, and international payments tend to be particularly complex. The data being authenticated can be unstructured, incomplete or otherwise difficult to verify, leading 10% of all payments to require inspection from a human analyst.

Detailed regulations in the countries from which funds are sent or in which they are received also can hamper authentication, with additional hurdles cropping up at any correspondent bank along the way. Experts estimate that up to 5% of cross-border B2B payments require more investigation than automated systems can handle, for example. These data challenges and redundant security checks result in these payments taking far longer than their domestic counterparts. The average international B2B payment time frame can stretch to 32 days, whereas the average domestic payment averages just 21 days.

PSD2’s initiative to reduce payments fraud is commendable, but its mandate for SCA could cause more bottlenecks for banks and payments processors. SCA regulations mandate most payments to require a multifactor authentication (MFA) process including two of the three following verification types: a knowledge-based authenticator such as a PIN or password; a hardware-based credential such as a physical security key or a code sent to a smartphone; or a biometric credential such as a fingerprint or facial recognition scan.

The deadline for SCA compliance has shifted several times over the past couple of years to give businesses more time to upgrade their authentication systems. It was recently moved to March to account for the challenges many merchants and payments companies have faced during the pandemic. These organizations have been working overtime to meet the latest deadline, however, and many of them seem positioned to hit the ground running.

Businesses’ Readiness to Meet PSD2 Standards

SCA requirements affect transactions in different ways depending on a payment’s final destination. Those that begin in the EU and leave Europe at any point during the transaction are not bound by two-factor authentication (2FA), for example, but payments between EU member states must be in full SCA compliance. This means merchants that primarily transact outside Europe likely will be less affected by PSD2 in general, a welcome relief for an industry that has more complex processes than any other.

EU payments providers have been working hard preparing to meet SCA regulations once they take effect, and they have benefited greatly from the deadline extensions. A January 2018 study found that just 75% of firms at that time felt they were ready to meet the EU’s standards, with that number dropping to just 58% when customer and payment authentication both were taken into consideration.

Reported readiness increased significantly in more recent research, which found that 99% of EU merchants were able to meet SCA standards. It also revealed that 94% of payment cards were equipped to handle SCA obligations, and that 82% of payment service users were enrolled in an SCA solution.

It is unclear whether the EU will grant another SCA deadline extension after the most recent one has pushed it to March, with the most likely variable being the ongoing pandemic and its effects on the European economy. Statistics indicate that merchants and payments providers are ready, however, and can enable payments authentication to meet even the most exacting EU standards.