In late May 2019, CleverAdvice issued a white paper to address industry readiness to implement Strong Customer Authentication. Our analysis highlighted that many players involved in the payment value chain were not ready to launch SCA in September 2019 as mandated by PSD2. The paper was put forward to the European Banking Association and European Commission that valued it along with other inputs from acquirers, issuers, processors and e-merchants. As a result, the EBA in their opinion of 21 June 2019 allowed member states’ National Competent Authorities to provide a transition period on the implementation of SCA based on PSP individual requests.
The main messages delivered to the regulators were that the industry as a whole was not broadly ready to launch Strong Customer Authentication and a strict enforcement in September 2019 as set by PSD2 would have had a negative market impact.
Reasons behind the unreadiness were mostly related to the late availability of the actual regulatory requirements to be met. The actual implementation period allowed by the regulation was shortened due to amendments to the final version of the regulatory technical standards (RTS) after it was issued. Similarly, specifications for 3DS 2.2 – the only version that supports all SCA exemptions – were issued months after the final RTS were published. As such the level of readiness of PSPs varied significantly and they were not in a position to offer harmonized SCA solutions, in particular with respect to exemptions. Also, most merchants did not integrate their systems to support SCA processes.
Customers will not benefit from non-homogeneous implementation
Fragmented implementation would have resulted in increased abandonment and higher costs for merchants and customers.
Many issuers expect to decline outright non-SCA authenticated transactions if their platform is unable to spot a request for an exemption. As most declines will be toward non-fraudulent transactions customers will not understand what’s behind the declines and be dissatisfied. In the event of a soft decline customers will be asked to authorize the transaction via SCA but some will be confused by the inconsistent processes and abandon altogether, resulting in lost sales and potentially a perception of ecommerce as inconvenient.
Unreadiness to manage exemption will result in more SCA transactions and higher costs as the cost of processing a SCA transaction is higher due to additional authentication steps required.
We estimate that applying exemptions will make processing cost 4% higher with respect to not applying SCA altogether, while applying SCA to all transactions will increase processing cost by over 9%.
Lower sales and higher processing cost are likely to drive merchants to increase prices of goods and services and/or fees while reducing advantages for their customers such as free shipping.
European authorities embraced our insights and provisioned a transition period to facilitate PSP in implementing SCA aimed at a harmonized ecosystem. Now PSPs that do not comply in full with SCA have up to the end of 2020 to optimize their online authentication processes and carry out appropriate testing.
As the SCA process requires an extra authentication step and involves customer intervention it has a negative impact on conversion at checkout. According to a recent piece of research banks lose 19% of transaction via SCA partly due to unfriendly processes but also longer checkouts. As such offering a user-friendly, customer-centric SCA process is paramount to limit abandonment.
Optimizing the SCA process
A lot can be done to improve SCA processes. By leveraging the combinations of SCA compliant factors as outlined in the EBA opinion of June 2019 issuers may offer more use friendly and quicker SCA processes resulting in improved conversion and happier customers which will lead to higher revenues and customer loyalty. Happy customers are also likely to engage other users via word of mouth, one of the most effective marketing tools and absolutely free.
Not all SCA compliant factors offer the same level of security. A good example are one-time-passwords sent via SMS. SMS OTPs have been violated in a few of instances at a number of banks in the UK and Germany while customers were authenticating transactions, resulting in frauds.
That is the main reason why we discourage application of SMS OTPs and tend to prefer in-app authentication, more secure – unviolated as of today – offers a more user-friendly user experience and quicker process. In addition, it is more mobile-friendly as no code need to be input in the device. This last consideration should not to be overlooked as over 80% of EU citizens purchase via a mobile device.
Liability apply during the transition period
Although PSPs will not be fined by NCA for not offering SCA until year-end 2020 they should act quickly as they will be liable for payment fraud due to non-SCA authorized transactions. In fact, Art. 74 of PSD2 fully applies from 14 September 2019 regardless on the transition period granted by the EBA. In fact, only the European regulator – the European Commission – has the authority to amend the PSD2.
About Marco Fava
About CleverAdvice
CleverAdvice is an independent professional services firm focused on the payments industry and member of the European Payments Consulting Association (EPCA). Areas of expertise include Open Banking strategies and use cases, Online Authentication/SCA, Digital onboarding, Customer journey, Commercial cards & payments, Instant payments, Conversion at checkout and Customer retention techniques.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now