Blog article
See all stories »

Strong Customer Authentication - a Litmus Test for Europe

For most of the past century, globalisation has been driven by large businesses. The very term multinational conjures the image of a giant corporation whose far flung units touch every corner of the world. 

The internet clearly has changed this equation significantly. Borderless and unparalleled in scale, it allows virtually any business, no matter how small, to reach customers anywhere. And in our part of the world, the European Union’s project of a Digital Single Market has added a political dimension to the technological progress. 

Harmonising regulation and making cross-border online activity easier for both businesses and consumers has played a big role in enabling a new generation of European founders to build and grow pan-European online businesses. Companies like Typeform from Spain, Doctolib from France, Catawiki from the Netherlands, or Voi from Sweden have expanded across the continent in very little time, providing economic success stories of European integration.

However, a massive change to European online commerce is now upon us Strong Customer Authentication (SCA) is one of the biggest regulatory disruptions to the world of payments in decades - both for merchants and consumers. Much has been said about its potential impact. While it will help to tackle fraud online, which threatens to undermine our trust in the internet economy, the economic loss that comes along with the new rules could be as high as €57bn across the continent, due to more friction in checkout processes. 

The reality is that a large part of the industry is still not ready for this seismic shift, despite the original deadline now having passed. On 21 June, the European Banking Authority (EBA) published an opinion which opened the door for national regulators to delay the enforcement date for SCA. While this was done with the good intention to give Europe’s online economy more time to prepare, it has actually confused a complicated situation even more by increasing the level of fragmentation across the continent in a way that could be a real threat to the Digital Single Market.

The decision of individual national regulators to interpret the EBA guidance differently and set their own roadmaps and enforcement deadlines of varying lengths is disturbing. This adds an extra layer of complexity to an already complex piece of regulation, and it could have deeply damaging consequences for online commerce. 

Cross-border payments, after all, have become the norm and many online businesses sell internationally, many of them from day one. If there are multiple rules by multiple actors in multiple countries, it will mean a disintegration of the European idea of a Digital Single Market, at least from an economic perspective. 

A joint e-commerce and payments industry statement this month recognised the threat of fragmentation, arguing mismatched enforcement would result in “inconsistent user experiences and confusion to consumers.”

Concerns about this threat are not unfounded. We’re already seeing a disparity in how regulators have taken on the EBA guidance. Some regulators took a liberal view on whether to push back enforcement. France, for instance, mentioned a three-year, no-strings-attached delay project. 

Others might not take up the offer at all. Others still found a middle ground - the UK and Germany are each looking at delays of 18 months. This could mean payments in one jurisdiction needing to be doubly authenticated, and others not. We’re unlikely to get more clarity on what to expect before the September deadline. At this point, there are two conclusions to be drawn from witnessing the discussion:

On a more pragmatic level, it’s important for online businesses to be aware that while there may be a delay of enforcement by some country regulators, they should still focus on getting ready for SCA, not least because some issuing banks may decide to not take up on the delay proposal, and instead apply SCA on day one. While the exact date of enforcement might be unclear, there are solutions ready and waiting to help merchants reach compliance and still keep up their conversion rates. These solutions can help them to apply SCA exemptions where possible, and ensure two-factor authentication is only applied when necessary.

On a more general level, the ongoing debate about a delay of SCA enforcement will be a litmus test for Europe’s unified approach to regulating technology. In times of growing nationalism, the European Union offers a counter-model of cooperation and integration – but only if national regulators reach consensus about how to deal with the enforcement delay across the different member states. 

Anything else would send a harmful signal in uncertain times, and significantly weaken the Digital Single Market. What is more, as SCA does not apply to non-EU companies, it would mean a real disadvantage for European technology companies. In the interest of Europe’s online economy, let’s hope national regulators find a way to harmonize the introduction of the new rules.  


Comments: (4)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 16 September, 2019, 11:58Be the first to give this comment the thumbs up 0 likes

Great post. From my experience of 2FA in India over the last +5 years, I totally agree with you that SCA could cause massives loss of sales due to higher friction in the checkout process as also due to greater risk of failed payments.

I used to regularly pay with credit card online for +10 years before 2FA was mandated for online payments in India around 5 years ago but after 2FA was enforced, I switched to Cash on Delivery or Card on Delivery for all my online shopping in India (although I continue to use credit card outside India).

I wrote about this four years ago in Why I Went From Card To COD. Two years ago, I pointed out that Cash Still Ruled Ecommerce In India.

A Finextra member
A Finextra member 26 September, 2019, 08:38Be the first to give this comment the thumbs up 0 likes

i think the unknown is always a concern, and new regulations are rarely seen as things that will make things easier, but I do genuinely feel that with the right APIs and 2FA, that SCA and Open Banking will bring about an easier way of working with reduced friction for many different kinds of offerings.

I see the potential for things to work like they do in Estonia, where I don't need to put my card details in anywhere online. I merely give permission to my bank to pay with a strong 2FA. Far faster, far safer, and far more convenient for everyone involved. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 26 September, 2019, 13:30Be the first to give this comment the thumbs up 0 likes

2FA is not unknown - it's extremely well known. I've been facing it for +5 years. Many new regs are seen to make things easier e.g. FPS, Open Banking. Going by my personal experience and the publicly-expressed opinions of Stripe, et al, it's naive to believe that SCA / 2FA will bring about an easier way of working or reduce friction. TBH, I don't see the relevance of Estonia example of 2FA with Bank in the present context where the 2FA is with Merchant. 

A Finextra member
A Finextra member 27 September, 2019, 11:28Be the first to give this comment the thumbs up 0 likes

Sorry, Ketharaman, you misunderstood, I meant SCA was unknown. 2FA is well known, but I fear, it needs to be far more well known!.

The Esotnian example was to say that all online purchases in Estonia, for years now, have required strong customer authentication, while at the same time, not required any of these online merchants to receive or store credit card information.

And that way of working, in my experience, has been far more convenient and faster than ordering things online in any of the other countries I've lived in. 

Faster, simpler, safer.

Now hiring