Friday the 13th is coming – is banking ready?
The deadline for the Second Payment Services Directive (PSD2) compliance is rapidly approaching. The deadline for the vast majority is actually 12am on the 14th – the European Banking Authority (EBA) announced limited extensions on “an exceptional basis”.
Even with this potential extension for the few, it’s safe to say that the industry is getting more than just a little nervous. Unfortunately, it is obvious that many people who need to be ready for it, won’t be.
Real immediate concerns stems from SCA two-step authentication.
The real immediate concerns stem from a key part of PSD2 – Strong Customer Authentication (or SCA as it’s known). SCA mandates that a two-factor authentication be applied to all electronic payments – with some exemptions, namely transactions below £30.
Fundamentally, SCA is a good idea – it should help reduce fraud and making paying online safer for customers – whether that’s making payments to friends, families or businesses, or when shopping online.
Are the banks ready for all affected journeys?
Banks in the UK are ready for payments from their own platforms. When you’re making payments via online banking or in a banking app you probably are already using two-factor authentication in certain cases and pretty much always when setting up a new payee. The way you authenticate may well change a little, especially if you’re using a physical token – like a card reader. A key thing that makes SCA more than just two-factor authentication is dynamic linking – which means you’ll likely need to enter the account number you’re paying to and the amount into your card reader when making a payment.
Where SCA gets a little scarier, is when you look at two other journeys:
- Linking an account to a third-party service
- Making card payments when shopping online
The first of these is a key part of PSD2 – it allows regulated third-parties to access your data and initiate payments on your account. Currently many third-parties rely on screen-scraping – the process that collects your login credentials and uses those for access. From September, this will no longer be allowed and SCA must be applied to the process. The ideal solution is for banks to offer APIs. In the UK, the big banks – and a growing number of smaller ones – have done this, but the rest of Europe has been much slower to get these in place.
Dynamic linking is another key concern.
What about APIs and merchants?
A recent assessment of 100 banks across 12 markets by Tink showed that just 65% of banks have production APIs in place – the deadline for having these available to developers has already passed – this number falls to 37% if you exclude the UK. The impact of third-parties relying on account access could be dire if they are unable to use these APIs or if they cannot access accounts using a process that is SCA compliant.
However, this is almost a side-show to the real issue – online card payments. Here the problem does not lie with the banks or most big payment service providers – but with merchants. The online checkout process of every single merchant must adapt to SCA. This is not an issue for big retailers – the Amazon’s of this world – but you may be surprised at the scale of some firms that aren’t ready.
The very real fear in the industry right now – if the limited exception remains for the limited few – is that if merchants fail to adapt, there could be a huge number of failed transactions from September 14th – you may want to do your Christmas shopping a little earlier this year.
Do customers even know about SCA?
So, what is actually going to happen? The worst case is that many businesses will lose the ability to transact online and go out of business. The only flip-side being that perhaps this is the thing that will re-invigorate the high-street.
The other is that suddenly everyone will get ready for September. There are more headlines in the industry press, but unfortunately not the mass public communication needed to make people truly aware. A key learning for the industry is that changes like this must be communicated – having attended a few conferences this year on the subject myself, it’s clear everyone knows we need a mass communication plan, but nobody wants to be the one to do it… I guess it’s difficult to really know how to talk to customers about things like this?
Worst case is that businesses will lose the ability to transact online.
Will the EBA be convinced that it needs to offer an extension to the masses, giving all the different players involved more time to adapt? This is the best hope and fingers-crossed, it will happen. The EBA’s announcement of a limited extension for some merchants is a sign that we’re a step closer to that eventuality, even though the EBA believes that “sufficient time has been available for the industry to prepare”.
Who’s really affected by a potentially missed deadline?
On reflection, the real pain in all this is that PSD2 and SCA should not be coming as a surprise to anyone – it’s not like the rules were written yesterday, in fact they were announced in 2015. Furthermore, the losers in all this will not be the banks or big businesses, it will be medium and small business, and their customers. This could be a massive blow to trust in the system.
Businesses who are reliant on those providers will look for alternatives if they are let down – and there are plenty. Have you heard of AliPay?
By Chris Ward, Principal Consultant at Mapa Research
This article is also featured in the summer July/August 2019 issue of the Banking Technology magazine.
Click here or on the banner below to read the digital edition – it is free!
