With the deadline of the 14th September round the corner, PSD2’s new SCA (Secure Customer Authentication) requirement will have a big impact on the way merchants take payments from customers. TFT digital editor, Charley Brooke Barnett, sat down with Tim Coates, Head of Blockchain at Synechron, to pick his brain on the new regulations.
Charley: Is there a risk of the sector becoming complacent with the delayed SCA deadline?
Tim: There is no risk of the banks and FinTechs taking the SCA rules lightly. They have the means and will comply. However, the vast number of merchants whom are inconvenienced by this change have been slower to pay attention. Those merchants that take a slower or more reactive approach to the regulation are at risk of fines and reduced customer confidence.
Charley: Will increased checkout security negatively impact consumer sales?
Tim: Overall you would expect that reducing fraud will increase trust in the digital payments infrastructure, and deliver a long-term positive impact for consumer sales. The age-old question in consumer payments is do we lose more money from an uptick in friction, or from fraud enabled by inconsistent authentication security application. Banks are typically liable for the billions of dollars of ‘card-not-present’ fraud, whereas merchants lose out from friction that causes a higher dropout rate on transactions. Hence it was important to introduce this regulation where the economic incentives to deliver strong customer authentication were uneven.
Those merchants that take a slower or more reactive approach to the regulation are at risk of fines and reduced customer confidence.
The industry obsession with frictionless customer experiences grew out of the heightened competitive intensity of FinTechs and middleware orchestrators created by PSD2. The SCA rules require two independent verification methods to accept payments, but leaves it open for the payment services providers and merchants to innovate on its execution.
Thus the regulation provides an opportunity for competitive differentiation and innovation around customer authentication. We will see banks be forced to modernise their service, rather than putting all the pressure on merchants. Also, through the use of data, we will see banks encourage positive behaviour among good merchant partners, and therefore incentivise deeper relationships with merchants, showing that they have done all of the correct things, rather than charging them and losing the customer.
Charley: Could PSD2 compromise customer data and will this conflict with GDPR?
Tim: While some firms might view the two regulations as conflicting, PSD2 explicitly refers to the predecessor of GDPR in its final text and the close connection is actually clearly noticeable, as several provisions in PSD2 itself are dedicated to the protection of personal data. The question for firms is how can they find the balance between provisioning customer account data in Open APIs, whilst then also protecting and handling it once its outside their walls.
Firms need to transform their data infrastructure and governance, implementing a customer-centric methodology with a robust security and data protection mindset. One way to do this is by addressing similar technical requirements with a single approach using one API solution; this will allow firms to power both GDPR data portability and PSD2 XS2A. Doing this within banking environments could serve in reducing implementation costs and optimise efficiency.
To do so, banks will need to look at their data architecture landscape and analyse two aspects in both requirements to assess whether that would be technically feasible: (i) the nature and scope of the accessed data and (ii) the functionality requirements of one API complying with both legislation requirements.
Charley: Does PSD2 fully address the need to break up the monopolies held by the big banks before the financial crisis?
Tim: Fintechs were the winners from PSD2, but we see both players having an extremely important role to play in the ecosystem, especially due to the power of collaboration.
Firms need to transform their data infrastructure and governance, implementing a customer-centric methodology with a robust security and data protection mindset.
Despite claims that banks lost out, there are beneficial relationships banks can establish, such as broadening the scope of products and services. For example, a small bank previously unable to provide its customers with insurance can now do so by connecting to a larger bank’s open API. This also enables that larger bank to offer its underwriting services to that smaller bank, thus creating a symbiotic relationship.
Charley: What legislation would you put in PSD3?
Tim: An expansion of scope of data will evolve over time as PSD2 is now the new normal. We expect increasing profile data portability for customers wanting to switch banks will further increase competition.
PSD3 would likely need to accommodate the increasingly invisible moment of payments, for example, Uber. Increasing transparency and risk management around that popular evolution could be a new theme.