With the EBA announcing a revised deadline for migration to Strong Customer Authentication (SCA) of December 31st 2020, how have industry players reacted and what now needs to happen make the transition a success?
JPMorgan has welcomed the EBA’s announcement of the revised deadline for SCA, both for its clarity and its decision to propose harmonised implementation of the regulation.
“Giving both issuers and acquirers clear milestones ahead of the new deadline provides a natural glide path that will be vital for a smooth and consistent migration across Europe,” says Brian Gaynor, executive director of production solutions at JPMorgan.
“While it’s tempting to relax a bit with an extension, we urge payment providers and merchants to avoid kicking the can down the road and on-board new SCA implementation systems early to iron out any kinks and ensure they are fully compliant in time for the
revised deadline.”.
The EBA is asking regulators to use this period to monitor migration plans across the industry, rather than “pursuing immediate enforcement actions” against non-compliant payment service providers.
Duncan Barrigan, chief product officer at payment fintech, GoCardless, calls this window “a golden opportunity” to review processes and design a solution that offers customers a convenient but secure experience.
“The clock is ticking and, to stay out of the EBA’s firing line, businesses need to shape up for SCA,” Barrigan adds.
Mock exam
The EBA’s earlier announcement of a deadline extnsion on 21 June was somewhat inevitable as complexities in SCA continued to emerge with the September deadline looming large.
“Some of the definitions were made quite late. Whether authentication by text message would be enough, that kind of thing,” says Søren Rode Andreasen, chief digital officer at Danske Bank.
Andreasen highlights to Finextra the difficulty in implementing SCA in the best possible way, avoiding negatively impacting usability through over-implementation while achieving full compliance.
Brian Gaynor believes that the industry will be sufficiently prepared now it has had its “mock exam”.
“Having the September deadline there definitely focused the mind in terms of knuckling down and having an agreed protocol in place,” he tells Finextra.
“I think that when we have a second go at it, the industry will have joined-up thinking and understanding of how everyone else in the ecosystem is going to work.”
Payments company Stripe, for example, has published a report finding that SCA will disproportionately affect small businesses. The research states that three out of five businesses with under 100 employees are unfamiliar with SCA.
Communication, communication, communication
One area of concern will be of educating consumers to ensure they are not met with unexpected obstacles, causing purchases to take longer or even be abandoned altogether.
Stripe’s report found that 73 per cent of consumers are not aware of the new authentication requirements and 74 per cent of Generation Z shoppers have abandoned an online purchase at the checkout in the past six months due to a bad experience.
“In Ireland, there were radio ads explaining SCA and all the banks sent communications out to their customers,” Gaynor says.
“But SCA is a hard thing to portray and so it’s difficult to reassure people and avoid that friction.”
Some might argue though that friction is unlikely for a smartphone-savvy customer base well versed with two-factor authentication. With a good deal of online shopping being carried out on mobile devices, SCA may not cause a great stir.
“In the financial space, where fraud and cyber attacks have been front and centre for many years now, companies have already been looking at authentication methods and have generally settled on mobile app-based push-authentication as the best means of doing
so,” says Nabeel Saeed of cloud communications platform, Twilio.
However, there will still be a need for education around SCA to prepare consumers for its wider prevalence.
There is also the potential obstacle of the enrollment process, in which consumers link two-factor authentication with their payment method.
Merchants will therefore be concerned about friction in their sales processes, given that getting customers to visit their website and put items in their basket can be difficult enough without adding another obstacle.
“I think SCA will absolutely be a success in terms of reducing fraud, but the industry needs to be better prepared and we need to have a communication campaign that runs across the whole ecosystem,” Gaynor concludes.
On the same page
In the announcement of the December 2020 deadline, the EBA recommended “a consistent approach towards the SCA migration period across the EU,” a view likely to be shared across the ecosystem given the fragmented nature of payments and ecommerce.
“There are around 450 issuers across Europe that need to implement SCA, and there needs to be consistent approach, complex as that is,” Gaynor sums up.
There are concerns about the potential friction caused in a transaction involving a customer who resides in one country, a website headquartered in another, and a bank account or card provider based in a third.
“We have branches and operations in so many different European countries, so we can see that different places have different starting points,” Andreasen tells Finextra.
Customers in Northern Ireland or the Nordics for example are well versed with the identity schemes that are in place for logging onto online banking or government websites.
“You have the same user experience no matter where you shop or which bank you have, so we’re in a far better situation in those countries.
“In Britain, however, it’s a little more difficult because there isn’t a universal scheme in place, which can lead to a fragmented user experience.”
Practice makes perfect
The 14 months until SCA will be enforced should give banks, payment companies and merchants the window needed to get to grips with how the ecosystem will operate. Again though, a consistent approach is vital.
One such area is the upgrade from 3DS to 3DS 2.0. As its use becomes more prevalent, it is important that certain regulators do not start to enforce the regulation in full, causing transactions to be rejected needlessly.
“We’d like to see players start using 3DS 2.0, but without any compulsion during this period,” Gaynor says.
“On both sides, people need to be get used to 3DS 2.0, be comfortable with how it works and ramp up the volume of transactions that they’re subjecting to authentication, but without anything compelling them to do so.”
With full commitment to use 3DS 2.0 and other facets of SCA throughout this period, and appropriate communication to customers, the industry would then be fully prepared to turnup the dial to full at the end of 2020.