With the deadline of the 14th September tomorrow, PSD2’s new SCA (Secure Customer Authentication) requirement will have a big impact on the way merchants take payments from customers. TFT digital editor, Charley Brooke Barnett, spoke with David Gardner, partner at law firm TLT, to explore the implications of the new regulations.
Charley: Is there a risk of the sector becoming complacent with the delayed SCA deadline?
David: There may have been many sighs of relief following the FCA’s recent announcement that it would not take enforcement action relating to SCA non-compliance following the implementation deadline on 14 September. However, there are some good reasons for both the payments industry and merchants to avoid complacency and act quickly. The FCA announcement does not change the deadline and only offers limited relief, which is conditional on regulated firms contributing to and complying with an action plan for compliance.
Many merchants argued that they were caught on the back foot by SCA and therefore lobbied for more time to prepare for the changes. We would expect them to use this breathing space to get fully up to speed on what’s changing, and to make sure that they and their customers are ready.
Smaller merchants that process payments online are likely to face even bigger challenges than their larger counterparts, who will inevitably have more direct engagement and bespoke arrangements with their acquirers and gateway providers.
The FCA announcement does not change the deadline and only offers limited relief
The extension should be used to develop compliant solutions for customers and to create an industry-wide plan that minimises disruption. It also gives merchants the time they campaigned for to engage with acquirers and payment gateway providers, adapt their payments processes and communicate these changes to their customers.
Charley: Will increased checkout security negatively impact consumer sales?
David: On mobile channels, if SCA is implemented correctly, it should be possible to minimise the negative impact on consumer sales that could result from increased friction in the customer journey. Two-factor authentication is already a common feature in digital banking and other online processes.
In the future, as smartphone technology and EBA technical guidance develops, we could see the implementation of more sophisticated behavioural biometric solutions that further reduce disruption to the customer whilst delivering robust security. However, it will take some time before this kind of technology is fully developed and widely available.
we could see the implementation of more sophisticated behavioural biometric solutions that further reduce disruption to the customer
Outside mobile, implementing “frictionless” SCA is far more challenging on browsers and automated telephony channels. This presents an issue for customers who are less tech savvy, and for firms who want to move away from more traditional payment methods due to the security and other benefits of mobile SCA.
For larger banks and financial firms, financial inclusion and support for a broad customer base is a key issue. A two-factor authentication process involving biometrics, for example, could intimidate the less digitally confident, who may already be reticent to give up their personal information as part of the value exchange inherent in many digital transactions. For those without mobile banking or home internet connections, the extra security required under SCA requirements can be implemented, but this is less straightforward and introduces a greater amount of friction.
Charley: Could PSD2 compromise customer data and will this conflict with GDPR?
David: PSD2 and in particular the SCA requirements are designed to significantly enhance data security and protect transaction data from hacking and fraud. There is always a risk of data breach in any data exchange; however, PSD2 increases the level of protection. This means that any such breach is more likely to arise as a result of human error or wrongdoing than the operation of the regulations themselves.
The tension between the “consent” requirements under PSD2 and the GDPR has now been largely resolved. The ICO has confirmed that both requirements must be considered separately; however, “consent” for PSD2 purposes should not be read as equivalent to consent under the GDPR, which can be freely revoked by the user and can be invalid if it is a condition of entering into a contract.
In relation to “consent” for GDPR purposes, this will still be relevant where firms process personal data as part of their payment services. Firms should bear in mind that consent is just one of several potential legal bases to process personal data and may not be the most appropriate basis to rely on, given the issues briefly outlined above.
Charley: In terms of the UK and the CMA’s mandate, does PSD2 help to achieve one of the CMA’s objectives which was to encourage greater innovation in banking services and make customer banking data available to more than just the major banks?
David: It is still early days in the creation of an ‘open banking’ market; the implementation of PSD2 and the OBIE’s open banking regime in the UK is still very much a work in progress, as the recent SCA delay indicates. In that context, it is premature to attempt a meaningful assessment of whether the CMA has achieved its open banking objectives. There are lots of potential outcomes that could affect how the market looks in one to two years’ time, and what issues the CMA feels still need to be addressed.
Big tech companies are experts in designing frictionless customer experiences and have access to vast amounts of customer data
Early indications are that existing and new firms have started to develop open banking propositions, which continue to build momentum. This includes a number of smaller challenger banks and fintechs who have taken advantage of account information services provision to launch innovative solutions.
However, the biggest perceived threat in this new market is from big tech firms like Google, Amazon, Facebook and Apple. Big tech companies are experts in designing frictionless customer experiences and have access to vast amounts of customer data, which they are already experts at mining to extrapolate insights. If they decide to combine and augment their current services with financial services and data, they could disrupt the market on a far greater scale, especially due to their existing market presence and unrivalled capacity to invest. If this starts to happen, the CMA’s concerns about a lack of competition in the banking industry could begin to shift away from the CMA9 towards the giants of Silicon Valley.
Charley: What legislation would you put in PSD3?
David: Using the open banking platform that the UK has now successfully developed, the FCA is already talking about the broader concept of “open finance”, which would cover the whole of customers’ financial lives. Aspirationally, this would encompass the full spectrum of financial services products including investments, pensions, mortgages and insurance, to encourage greater innovation and deliver greater insight for customers.
Technology always moves faster than the law so we can anticipate that PSD3 will continue to try to address the latest technical innovations and their impact on the payments market.
While the market is likely to progress in this direction in the future, we can expect resistance to accelerating this change from more established firms who may be concerned about further disruption in the market as well as being keen to ensure that they can achieve the current regulatory standards for open banking – including SCA – before further requirements are added.
Technology always moves faster than the law so we can anticipate that PSD3 will continue to try to address the latest technical innovations and their impact on the payments market. We may also anticipate increased regulatory reach under PSD3, as we have seen with the direct regulation of data processors for the first time under the GDPR. This will be more likely if large technology players take a significant stake in the payments market without becoming banks, in which case PSD3 could seek to directly regulate technology and other service providers in response.