Following our previous article, commenting on the Secure Customer Authentication (part of the Second European Payment Services Directive) (‘PSD2 SCA’) and its implications on payment trends in 2019, following an announcement from the European Banking Authority (EBA) on 21 June 2019, The Financial Conduct Authority (FCA) has announced that the enforcement of PSD2 SCA is to be delayed for 18 months to allow for its phased implementation to enable businesses further time to prepare.
What is the PSD2 SCA
Whilst the phenomenal rise in e-commerce in Europe has undoubtedly left consumers with greater levels of product choice, lower costs and flexibility when buying products, the incidents of reported fraud have also increased dramatically. The FCA has reported that in 2018 ‘cyber incidents’ at financial service providers had increased 1,000% and fraud losses on UK-issued cards had risen 19% to £671.4 million in the same year.
PSD2 SCA attempts to provide redress to this problem by seeking to improve security in the online payment sector, principally by an increased requirement to verify identity, ensuring payment service providers and banks are aware that the person requesting payment is either the customer themselves or someone with whom the customer has consented to request the transaction.
PSD2 SCA seeks to achieve this increased security through the implementation of the ‘two-factor authentication’. This will require some 300 million consumers across the EU to verify their identities for most of their online purchases from at least two out of the three of the following independent sources:
- Something they know (e.g. a password);
- Something they are (e.g. facial recognition/fingerprints);
- Something they have (e.g. a mobile phone).
PSD2 SCA will cover consumer transactions which involve the electronic receipt or sending of payment (irrespective of the type of currency) so long as either the payee or the payer (or both) are located within the EU (unless an exemption applies). A transaction will not be covered by PSD2 SCA if one of the following exemptions apply:
- Low value transaction – typically card transactions below €30;
- Recurring payment – including subscriptions and membership fees – although the initial set up of the recurring payment/membership will require authentication;
- Whitelisting (‘trusted’) – this gives customers the ability to ‘whitelist’ retailers they trust – the initial transaction will be subject to the rules and future transactions exempt.
- Secured corporate payment – where the transaction is processed through a secured dedicated payment protocol and is initiated by a business rather than a consumer.
- Low risk transactions – this involves a ‘real-time’ risk assessment and the satisfaction of a series of complex conditions.
Why the delay?
A report published by Stripe, a payment processing provider, earlier this year commented that businesses had not fully prepared for the original PSD2 SCA deadline, with only 44% of respondents indicating that they would be ready for its implementation by the original deadline of 14 September. The EBA’s announcement itself also commented that industry had expressed concerns regarding their ‘state of preparedness’ for the new PSD2 SCA requirements.
The cost implications of adopting PSD2 SCA compliant practices and technologies is said to be a key factor behind the industry’s failure to adequately prepare for the original deadline. Many businesses have sought to counter this cost burden by partnering with third parties such as PayPal.
Whilst the industry’s lack of preparedness is clearly a significant issue to the implementation of PSD2 SCA, some have been critical about using this as a justification for the delay. Jason Tooley, Chief Revenue Officer at Veridium commented that financial institutions and payment service providers have had two years to prepare for the original 14 September deadline to implement PSD2 SCA and had ‘no valid excuse for the delay’ beyond an ‘unwillingness to participate’.
The primary concern for providers and users of e-commerce technologies is that PSD2 SCA will add an additional step to the payment process and require the consumer to provide additional information in order to complete a transaction. It is said this additional step has the potential to inhibit e-commerce (the Stripe report estimated that PSD2 SCA’s implementation could cost approximately €57bn in lost economic activity). Whilst this may be true for some industries affected by PSD2 SCA, others, such as mobile channels and online banking providers have already implemented the required two-factor authentication processes, meaning that it is unlikely they will suffer a decrease in transactions after the new enforcement date of 14 March 2021.
Whilst the decision to delay its enforcement will be welcomed by businesses who have not already taken the steps necessary to be compliant with the PSD2 SCA, the FCA has made clear that by 14 March 2021 it ‘expects all firms to have made the necessary changes and undertaken the required testing to apply the PSD2 SCA’ and has published a webpage summarising its expectations in this regard.
Those working in industry which will be affected by PSD2 SCA should use the added time granted by the FCA to prepare for the new deadline of 14 March 2021. In addition to continuing to appropriately manage the risk of fraud, those operating in the e-ecommerce and payment sector must review their existing systems and practices and find a way to incorporate the PSD2 SCA requirements in a way that will not prejudicially affect consumers accessibility and use of the services they provide.
Failure to make the necessary changes and live up to the expectations of the FCA may expose businesses to enforcement action. The FCA have said that businesses that have failed to become compliant with the requirements of PSD2 SCA by 14 March 2021 will be subject to ‘full FCA supervisory and enforcement action as appropriate’’. The EBA have also stressed that it is imperative that before 14 March 2021 businesses take the steps necessary to apply or request PSD2 SCA to ‘avoid situations in which payment transactions are rejected, blocked or interrupted.