.svg)
Strong customer authentication (SCA) was the final compliance requirement to be borne out of the revised Payment Services Directive (PSD2) and, one year in, it continues to make headlines. Here is our round-up of some of the key events, challenges and voices of the industry that kept SCA in the news in 2021.
Amid rampant COVID-19 infections and the "will they, won’t they" concerns about the UK and EU trade agreement, there was something else that the payments world had to contend with: SCA.
Article 97 of PSD2 dictates that payment service providers (PSPs) need to apply SCA when a consumer accesses their payment account online; initiates an electronic transaction; or carries out any action through a remote channel that may imply a risk of payment fraud or other abuses.
SCA, meanwhile, is required through two-factor authentication. These are dictated by the directive as being based on two or more elements, categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent.
This is so that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.
Member states go quiet on implementation
The year began with the expectation from the European Banking Authority (EBA) that SCA was to be rolled out in all 27 member states.
Yet, as VIXIO pointed out in the run-up to the deadline, this did not happen.
Throughout the first six months, countries including Germany and France opted instead to implement a "ramp-up". This meant that transactions over a certain amount would gradually become subject to SCA throughout the year.
France was one of the last countries, waiting until the start of July to fully roll out SCA requirements.
This relaxed approach to SCA implementation caused havoc for cross-border payments. Although the EU operates as one, mostly frictionless, market, transactions that transcended member states could be difficult to undertake when each member state had a different start date for becoming fully in scope.
"We haven’t found COVID-19 challenging in the Nordics, but countries that don’t have SCA compliance have been blocked, which is much more of an issue," said one Scandinavian issuer.
"Different supervisors are granting different exemptions and we can’t let the transactions through."
The EBA did warn that countries pursuing ramp-up strategies will face repercussions such as legal action throughout 2020 and into early 2021. However, any sanctions or censures for failing to comply have yet to be imposed by the banking watchdog.
The European Commission’s payments chief also acknowledged that the ramp-ups were taking place. In February, he said he was disappointed about the lack of coordination but told a conference audience that “we shall have SCA everywhere and that will be the end of this long-awaited saga”.
Is SCA working?
Preventing fraud was the goal of SCA. Yes, it can add friction and be frustrating for online transactions, but at least it would reduce fraud.
So far, data from the EBA suggests that this is beginning to be achieved.
“Based on the data collected, the increased application of SCA presented earlier in this report coincided with and may have resulted in a steady reduction of fraud levels,” a report published in June said.
For example, in the period between June 2020 and April 2021, the average value of fraudulent transactions across the EU decreased by approximately 50 percent from 0.12 percent to 0.06 percent for issuing PSPs and by approximately 40 percent from 0.17 percent to 0.10 percent for acquiring PSPs.
Although the report presented a positive light in terms of fraud reductions and high rates of compliance, it does not mention increased friction and transaction failures caused by SCA, which has caused havoc in the trading bloc.
This has been a concern among industry insiders, with one telling VIXIO in May that “failure rates and SCA are the words that seem to go together at the moment”.
Many industry and regulatory insiders were also less bullish during the year linking SCA with a decline in fraud, considering the lack of time that it has been a regulatory requirement and the uneven rollout.
Statistics released by the European Central Bank (ECB) in November also suggested that card fraud has been reducing anyway between 2015 and 2019.
The total value of overall card transactions used both domestically and internationally by cards issued within the Single European Payments Area (SEPA) increased 6.5 percent in 2019, nearly double the growth rate of fraud on cards (3.4 percent).
Consequently, fraud as a share of the total value of transactions decreased by 0.001 percentage points to 0.036 percent in 2019.
Although the ECB did suggest it would continue to reduce in the future as a consequence of SCA.
What’s next?
One issue that has continued to cause significant concern throughout the industry was the requirement that account information service providers (AISPs) had to renew their authentication every 90 days despite no financial transactions taking place that could be at risk. Providers argued this was causing them to lose customers.
Following on from the UK, the EBA has begun to climb down from its original, more stringent, approach to SCA.
Following months hinting at changes to the SCA rules regarding 90-day renewal, the EBA finally took action in October, launching a public consultation on the topic, with plans to increase the renewal period and a new mandatory exemption.
This move by the EBA followed a concession previously that the 90-day account renewal rule had hindered customer retention for AISPs.
To address the impact of these issues on AISPs’ services, the EBA is proposing to introduce a new mandatory exemption from SCA for the specific use case when the access is done through an AISP that is subject to certain safeguards and conditions, to ensure the safety of the customers’ data.
To keep a level playing field among all PSPs, the EBA is also proposing to extend the 90-day timeline in Article 10 of the regulatory technical standards (RTS) for the renewal of SCA to the same 180-day period for the renewal of SCA when the account data is accessed through an AISP.
However, some payment insiders have complained that the move does not go far enough in helping AISPs, and could even be a case of just pushing the burden down the road.
“Taking the burden into account, it should be appropriate to have the SCA renewal extended for longer than the suggestion of 180 days,” one source told VIXIO in November, suggesting that an appropriate solution, given what the EBA is in a legal position to make to address the issue, would be to extend the SCA renewal to one year.
Yet, the EBA has remained on the defensive. At a conference in November, its payments chief, Dirk Haubrich, gave the payments world’s warring factions a dressing down, and even threatened not to make any changes at all, telling everybody that it is the responsibility of the regulator to ensure that everybody is “equally unhappy”.
“It has a particular aim of making life easier for TPPs. And if the TPPs complain about how this is not good enough, then we may actually come to the conclusion that we are not going to amend the RTS,” he said.
With the compliance requirements as ever on the cusp of change, it seems like SCA has yet to have completely taken off, either on the regulator or commercial side.
And with PSD2 potentially becoming a PSD3 in the next few years, we can only anticipate that the changes will keep on coming.
