It’s just crazy that the European Banking Authority has not made any public pronouncements on SCA since 16th October 2019. It is 226 days since it last issued one of its official ‘opinions’ on SCA and I think the EBA needs to come out of the closet and say what its intentions are.
We speak with Paul Rodgers, Chairman of Vendorcom, who shares his five-point SCA success plan:
What is Strong Customer Authentication (SCA)?
These new rules, introduced in 2018, and to have been enforced from 14th September 2019, are part of the European Union’s (EU) revised Payment Services Directive (PSD2), and were created to improve the security of payments and prevent fraud. All payment service providers within the EU will have to implement the changes which centre around multi-factor authentication to increase the security of payments.
However, implementation has been fraught with delays due to the lack of a coherent plan until just before the initial 2019 deadline. The COVID-19 pandemic has pushed it back still further, and there is currently a disparity between the revised deadlines adopted by the different authorities involved. For example, the European Banking Authority (EBA) is currently maintaining its deadline of 31 December 2020, and has not adjusted this despite the pressures created by COVID-19. Meanwhile, the UK’s Financial Conduct Authority (FCA) has moved its date back six months from 14 March 2021 to 14 September 2021.
In his comments below, Paul calls for clarity, common sense and collaboration to fix this industry-wide problem.
SCA – why the radio silence?
“It’s just crazy that the European Banking Authority has not made any public pronouncements on SCA since 16th October 2019. It is 226 days since it last issued one of its official ‘opinions’ on SCA and I think the EBA needs to come out of the closet and say what its intentions are.”
“The lack of clarity is creating turmoil in the pan-European merchant payments sector and in particular ecommerce. I know there are private meetings going on with the National Competent Authorities across Europe but that’s not good enough; they need to take a public stance.”
“I’m now calling on the European Commission to intervene as I think that only the Commission can now take charge and bring resolution to the impasse that the EBA is precipitating.”
“I think the implementation delay gives us a chance to rethink. I’m still very much in favour of locking down security in the ecommerce, mobile and remote areas of merchant payments but I think we need to look at four or five key things.”
So, what are they – here’s Paul’s five-point recipe for change
1: SMS, one-time passcodes have to go
“We need to use this delay to kill the SMS, one-time passcode as the primary authenticating element because it remains insecure and exclusionary and, as such, is not a good way forward.”
2: Time to find better security solutions
“We need to take a serious look, instead, at alternative authentication elements, and specifically biometrics and behavioural biometrics. But while doing that, we need to recognise that this could be equally exclusionary in that it is a tech-based solution for smartphones, which are by no means ubiquitous.”
3: Smooth the way for ecommerce
“We need to rethink how we remove checkout barriers from ecommerce, essentially swinging our attention to check-in authentication when somebody’s engaging in ecommerce.
“This would switch the emphasis to retailers building relationships and loyalty so that customers spend more time with them. Possibly, and maybe even necessarily, with some friction at the check-in point where they’re trying to establish that relationship and authenticate that new customer as that’s a good time to do that sort of thing.”
4: Beware the fraudsters!
“We actually need to recognise that this delay in SCA implementation could favour fraudsters. Their window of opportunity has just got bigger – by 184 days! You won’t find them complaining about the extension or the need to revise the implementation plan.
“We need to recognise that and have a fresh look at the fraud tools that we already have and new analytics and prevention tools.
“There are plenty of solutions providers out there that can make those available and merchants should be applying those to actually cover the gap that not doing SCA will create in our fraud prevention toolkit.
“It’s a travesty that, 14 years after we locked on fraud in the face-to-face arena, we’re only now focusing in, in earnest, on protecting and removing fraud from ecommerce, mobile and remote ecommerce transactions.
“So, it’s a real dilemma. The reality says we need to delay this, but we can’t just simply say ‘right, let’s delay, and almost do nothing until 14 September next year’, it’s a case of delay but really look at what we’re putting in place in the meantime, because this exposes us.”
“Sadly, the fraudsters are just loving what we’re doing at the moment.”
5: Working together to find a way
“As I have been saying for over a year, it’s time for the regulators to wake up and stop skirting around the issue of a collaborative approach to this, and diverting attention from this issue by placing the responsibility in the hands of UK Finance to put together this programme of work.
“Those sorts of bodies are no more capable of creating a collaborative environment than the individual organisations themselves (predominantly banks) and therefore the regulator has to use this delay period to find a way of promoting and sanctioning a much more collaborative environment to progress this issue.
“Together, we need to find a way of creating that ubiquitous solution that is easy to understand and use for the citizen/consumer. In line with that, we also need to focus on outcomes, not technical compliance.
“It’s about monitoring the readiness of the market, not just in the deployment of technical solutions but in the adoption of those solutions by the end consumer.”
And finally… is politics getting in the way of market-friendly decisions?
“We also have another opportunity that the EU has singularly failed to address in the past, which is to align pan-European compliance deadlines.When the UK’s FCA went for 14 March 2021, the EBA chose the particularly challenging date of 31 December, 2020, I fear that if they offer any further extension to the period of supervisory flexibility, they will perhaps delay it by six months, and therefore end up at 30 June, 2021. That would be an equally illogical date, given that we would be better off aligning across Europe.
“The EBA is either just trying to be a heavy-handed regulator and demonstrating that it is the organisation with the teeth and the controls with no empirical basis for its decisions and in denial of the facts and market reality.
“Or, it’s a case of, well, the UK has gone for a sensible 18-month delay, but we can’t be seen to do what the UK has done because of Brexit. I’m sure that such a political stance would be denied but, since there are no good reasons not to align dates, the true motivation will remain open to interpretation. I hope that the Commission will now hold the EBA to account.”
Death knell for cross-border trade?
“14 September, 2021 is my preferred date as it would be two years after the original enforcement date and so would focus people’s minds. If the EBA were to align with 14 September, it would give us a chance to all come together, whereas its current stance undermines the digital single market and cross-border trade in Europe for consumer payments because cross- border business between the UK and continental Europe is very difficult to prepare for and operate when you’ve got two different deadlines.
“Fundamentally, by giving the National Competent Authorities the ability to set their own deadlines and failing to recognise the impact COVID-19 has had, there is a continued risk to the overall wellbeing of the pan-European economy.” Copyright © 2020 Vendorcom, All rights reserved.