Have we avoided the SCA cliff edge?

In April 2018, two weeks after the Regulatory Technical Standards for Strong Customer Authentication (SCA) were posted in the European Commission’s Official Journal, I embarked on an SCA awareness programme mainly aimed at merchants. It could be argued that that campaign was pretty ineffective as it took until March 2019 for the regulators to wake up to the fact that the merchant payments ecosystem had been almost entirely ignored by the banks/issuers who had been focused on preparing for the wider impact of PSD2.

Yesterday, August 13, saw the first major milestone in turning SCA from an economically damaging programme to one that will achieve the positive outcomes that the European Banking Authority (EBA) idealistically and naively outlined in August 2016.

Success in the next 18 months will depend on defining and agreeing the deliverables, achieving the milestones set by the National Competent Authorities (NCAs) and on how both the payments ecosystem and regulators align to deliver an EBA-acceptable compliant outcome in 578 days.

The 18-month period of FCA, and hopefully other NCA, forbearance isnt the main story, it’s what happens in between that we should all now be focusing on and the next few weeks and months – particularly up to #SCAday will be crucial. I’d like to use this article to outline some of the main areas that I see as especially important based on three years of work across all stakeholders and my reading of the current landscape.

Consistency

Consistency across all banks/issuers in how they define and process a common set of acceptable authentication elements will be fundamental to success. This cannot simply be a set of look-alike, vaguely aligned approaches. A unified, defined approach across all banks/issuers is the starting point for a transitional rollout programme.
I have argued that promoting variant/competitive approaches to SCA with cardholders should be specifically proscribed by NCAs until banks/issuers have delivered (or are at the very least committed to deliver) a common, unified, foundational approach.

Taking this bold step is not unprecedented and, I believe, is the ONLY way to ensure a successful transition to a trusted payments environment.

I cannot emphasise this point too strongly in that, without an unambiguous stance from the NCAs that competition is outlawed, the banks have no authority to collaborate and will continue to communicate confusingly competitive approaches. Failure to achieve precise technical and operational alignment through collaboration at the outset will predetermine the failure of any managed rollout. This will also undermine the integrity of the card payments ecosystem for merchant-consumer online/mobile payments. Fraudsters will attack the ecosystem with ease, feeding on the confusion that will be inevitable amongst merchants and especially consumers.

Pan-European consistency is also crucial as a starting point – not just an outcome. As it stands, with the EBA’s lack of coordination, the Digital Single Market for consumer commerce is a pipe dream that will be consigned to history.

Engagement

The diverse, streamed, even siloed domains across the card payments ecosystem has prevented any one body being able to take a leadership position in the way that the card schemes did in the successful rollout of chip & PIN. In order to meet the EBA’s ‘condition that PSPs have set up a migration plan, have agreed the plan with their CA, and execute the plan in an expedited manner’ there should be a registration process that all technical and operational stakeholders (broadly issuers, ACSs, acquirers, processors, gateways, merchants) must sign up to. Essentially the associated message should be, “Get with the programme, or you will feel full force of SCA from 14th September.”.

This sanction is only really effective if initiated in the next month after which each stakeholder group will revert to the who blinks first approach that has frozen the industry since March 2018 – or arguably February 2017.

Regulatory conditions

Regulatory uncertainty has been the biggest single contributor to the failure of banks and issuers to respond in time. The transitional rollout plans that I have seen so far place insufficient emphasis on locking down the regulatory conditions. Such lock-down will be an incontrovertible determinant of a success. As such, any transitional rollout programme must have the regulatory authorities tightly bound into the delivery programme with key milestones, readiness monitoring and reporting as part of their obligations.

The problem does not start with the banks/issuers; it is the legislative and regulatory hotchpotch that needs to be clarified ahead of, or at least in concert with, the technical and operational work streams. I hope the EBA will accept that until the regulatory conditions are locked down, any NCA-led transition programmes will have delay and inconsistency, if not failure, built in.

Programme Management Organisations

PMO Governance

As NCAs set up Programme Management Organisations (PMOs) to manage the transition, the banking/issuing domain will have an instrumental, essential influence, but cannot be expected to chair a multi-stakeholder organisation impartially.

Banking/issuing trade bodies generally have neither regulatory sanction, nor economic influence over their own members or stakeholders from other domains. Any plan that such bodies propose will, even if unfairly, be subject to criticism from any aggrieved party. NCAs should ensure that the instrumental, essential influence of this dominant stakeholder group is protected and that the overall integrity of the transitional rollout programme cannot be impugned by specifically requiring that the PMO has a robust governance structure with an independent chair. I believe that PMOs should be independently chaired on behalf of the national political and legal authorities (e.g. Her Majesty’s Treasury in the UK) to ensure that those who determine the regulatory and legal conditions are accountable within the programme as outlined above.

PMO Structure

I remain unconvinced by the lack of transparent detail and rigour in designing those PMO work streams I’ve seen so far. My proposal would be for a two phase, four working groups model with Phase One ensuring the lock-down of the regulatory conditions (Regulatory Working Group) and technical standardisation (Technical Working Group), and Phase Two building and executing the operational rollout (Operations Working Group). Each phase should have ‘lock-down’ milestones. A Communications Working Group would be responsible for a distinct comms programme in each phase; Phase One for citizen/consumers as cardholders and Phase Two for merchants planning to rollout the technical standard and for citizen/consumers as merchant customers.

Technical considerations

OTP by SMS is fundamentally the wrong approach. In the UK alone, two million people will be excluded from ecommerce completely and 10 million people will have their ecommerce journey made clumsy and inconvenient.
Knowledge based questions are retrograde and will lead to social engineering based phishing attacks. The impact on payment fraud will be immense.

Any smartphone-based approach to biometric authentication is, at best, a five- to eight-year programme to reach a comprehensive level of market adoption and, as such, hardly meets the EBA’s requirement for NCA’s to execute transitional plans ‘in an expedited manner.’

Operational rollout

Clearly phased operational rollout streams will be needed to reflect the widely varying payment journeys of different merchant sectors. There should be at least three streams, each with a defined, revised SCA enforcement date that is determined by the output milestone of the associated Technical Working Group:

Technical Standard Lock-down Milestone +9 months for Merchant Category Codes in mainstream retail, e.g. grocery, fashion, DIY, department store, and equivalents;

Technical Standard Lock-down Milestone +18 months for Merchant Category Codes in extended/often international purchasing/ordering scenarios, e.g. hotels, travel agents, car rental, theatre bookings, concerts, and equivalents;

Technical Standard Lock-down Milestone +24 months for Merchant Category Codes in public sector institutions – both nationally and locally, where ubiquity and universal access is essential, e.g. local authorities, HMRC, Health Service, DVLA, Post Office, and equivalent.

Communications

The comms programme to date at an EBA, NCA and industry level has been lacking, and the information vacuum in the past eight weeks (since EBA’s Opinion of 21st June) has contributed to a reduction of effort towards technical and operational readiness. The lack of rigour, together with disengaged, ignorant, lazy and soundbite hungry journalists has given rise to a level of inaccuracy, interpretation and detail that has resulted in the wider ecosystem making the interpretation that the application date for SCA has been put back to March 2021 at the earliest.
Terminology is going to be crucial. I believe we should be very deliberate in the language, definitions and communication channels that are used, with one of the first steps being the creation of a Frequently Asked Questions repository together with a detailed, agreed glossary and templated communication resources made available to all stakeholders and media groups.

In the interests of good communication, I will be continuing with my SCA countdown on LinkedIn under the #SCAday and #SCA tags.

About Paul Rodgers

Paul is Chairman & Founder of European payments community, Vendorcom; European Evangelist at the World Wide Web Consortium for the Payments Sector; Mentor at fintech accelerator, Level 39; and Member of the UK Payments Systems Regulator Panel and provided the secretariat for the All Party Parliamentary Group on Payment Systems in the last session of the UK Parliament.

Paul is passionate about the payments industry and the benefits to be gained by driving innovation through collaboration. His work with Vendorcom ensures that all stakeholders in the industry are connected and have access to authoritative, independent information on strategic and innovative developments, standards, regulation and market opportunities. Paul is recognised for his broad perspective on industry matters as well as his independence, authority and pragmatism in dealing with the increasingly complex change that both merchants and solutions suppliers face.

About Vendorcom

Vendorcom is a forum/hub that connects seekers, solvers and shapers in the European Payments Community. It has the primary aim of building a sense of community in the payments sector, enabling all stakeholder groups to provide more innovative, effective and secure solutions to merchants of all types through collaboration on common issues.

Over the course of the last 15 years, Vendorcom has helped to shape the collaborative/competitive landscape in payments and has developed its reputation as Europes definitive forum for keeping in touch with whats what and whos who in payments. It is the most trusted, independent forum for both solutions providers and service users of payment systems in Europe.