Consumer protection compromised as European countries dismiss PSD2 strong customer authentication deadline
Jason Tooley, Chief Revenue Officer at Veridium, comments on the unacceptably high number of European countries allowing businesses to postpone the enforcement of SCA.
Have European regulators given firms an unnecessary reprieve?
One of the most important pieces of legislation designed to protect consumers from the rising tide of fraud – strong customer authentication (SCA) under the second Payments Services Directive (PSD2) – has hit hurdles. SCA was a crucial element of the regulation due to be enforced in September. However, the European regulators have bowed to pressure from the financial services sector to grant extensions, with more and more companies opting out and claiming they are not ready.
Considering a staggering record 323,660 cases of fraud were reported in 2018, with fraud losses on UK-issued cards increasing 19% to £671.4 million, consumers are critically in need of SCA to combat this rise and see their transactions safeguarded. Applied to all transactions conducted in the European Economic Area, SCA was designed to make online payments more secure, and will mean consumers must approve online payments over £28 through a double layer of authorisation. Two of the following three methods of authentication must be provided: something they know (a password) something they have, (receiving a code), or something they are, (biometrics).
The financial services industry has clearly not kept pace with innovation and has been reluctant to prioritise SCA, with insiders expressing misguided concerns over the potential negative impact on user experience acting as a deterrence to sales. On 21 June 2019, the European Banking Authority (EBA) buckled under pressure applied by banks and payment providers, and published new guidance allowing for national regulators to delay the SCA enforcement date for select businesses who apply.
Following widespread lobbying from the industry, the UK’s Financial Conduct Authority (FCA) went on to announce an 18-month delay – alongside the authorities in almost every European country, from Poland to Italy. This highlights the ongoing unpreparedness of the industry as well as its disregard for consumer protection; companies have had nearly two years to comply, and there is no excuse other than a reluctance to participate. It is disappointing to see such resistance from the financial services sector towards integrating SCA into its services, seeing as many organisations viewed this as a business differentiator.
The effect on consumers must not be overlooked by the lengthy deadline delay; SCA will not act as a deterrent to sales as some have wrongly proposed – it will enable consumers to feel more confident when buying online. Consumers will only see minor changes to their day-to-day spending, and the additional layer of security on higher value payments will enable consumers to benefit from safer and more innovative electronic payment services.
The market opportunity to redefine SCA using a combination of possession of digital device, biometrics and implicit intelligence should enable financial services organisations to meet the regulatory requirements without the concern of damaging the consumer digital experience. The impairment of the customer experience is high on the list of reasons behind the lobbying for delay. Cost implications of maintaining a legacy strong authentication approach are also viewed as prohibitive when costs associated with passwords, tokens and SMS type one-time passwords communications are calculated.
The fine line of a great digital experience on their own digital device with the added comfort of increased security that reduces the concerns of fraud and identity theft remains the requirement to facilitate adoption and acceptance. Leveraging biometrics and using behavioural based artificial intelligence transforms the approach that banks can deliver and customers can adopt, as well as removing the risk of non-compliance against regulation.
