The Financial Conduct Authority (FCA) has recently announced that they are extending the deadline for Strong Customer Authentication (SCA) for e-commerce transactions to 14th March 2022.
They advised that this further 6-month extension is to ensure minimal disruption to merchants and consumers, and recognises ongoing challenges facing the industry to be ready by the previous 14 September 2021 deadline. The new 14 March 2022 deadline is the latest that the FCA expects full SCA compliance for e-commerce transactions. The changes involve new rules by which every online purchase over EUR has to undergo a 2 step authentication.
The FCA has previously agreed to give firms extra time to implement SCA for card-based e-commerce transactions in response to concerns about industry readiness and to limit the impact on consumers and merchants. An additional 6-month extension was also provided in response to the coronavirus crisis.
Siamac Rezaiezadeh, Director of Product Marketing at GoCardless said: “The deadline extension will surely be a relief to many merchants who have had a lot on their minds over the past year. Getting SCA implementation right is vital because there are real revenue implications at stake. GoCardless surveyed 1,900 C-level decision-makers at the end of 2020 and found that 75% of businesses globally had already implemented SCA, and of those, 56% reported a decrease in conversion as a result.
“As businesses work towards SCA compliance, we may see a surge in interest in alternative payment methods, ones that provide the same level of fraud protection that SCA is driving towards — without the need to add an extra step into the payment flow. Bank-to-bank payments and open banking payments are among those. What’s more, merchants may discover that, even without taking SCA into account, these payment methods could be a better fit for their business model compared to their current options in terms of reducing costs, lowering churn and maximising payment success.”
Also commenting on the announcement was Galit Michel, VP of Payments at Forter, said: “PSD2 has already come into force across Europe’s major eCommerce marketplaces, and the negative impact on conversion rates has been significant. For example, e-commerce merchants in France and Spain have experienced on average a 25% reduction in conversion rates, a 30% reduction in Germany, and up to 40% of transactions are being lost in Italy, costing merchants millions of Euros per month. Many of these transactions can be exempted or excluded from the scope of PSD2; Forter has been able to restore approval rates for several large merchants to a level very close to their pre-enforcement baseline, but this involves sophisticated technical solutions that not all merchants can take advantage of.
“Across the board, merchants are struggling to manage the significant changes to their payments process, and we have observed a lack of issuer readiness, as well as low levels of customer co-operation with the increase in friction at the checkout. The desired impact of PSD2 was to reduce levels of fraud, but in reality, the outcome has been to frustrate customers and deprive merchants of much-needed revenue.
“We are not surprised that the FCA has taken this bold move to push back the UK enforcement date by another 6 months, and will be welcomed as it gives merchants more time to observe and learn from the impact across Europe, and to ensure that they have an optimised solution in place to reduce friction and maximise approvals before the new enforcement date. However, we do believe that PSD2 will eventually be enforced in the UK, as it has already been transcribed into UK law, and we are already seeing transactions being declined when they are sent for processing without 3DS, so merchants should consider this a welcome extension and not a complete reprieve.”
Opportunity or Concern?
Finally, Jason Lane-Sellers, Director, Market Planning, Fraud and Identity at LexisNexis Risk Solutions believes the announcement brings both opportunity and concerns.
“It’s no doubt been a welcome announcement from the FCA for a number of reasons, predominantly because it gives organisations a little more time and breathing space to properly prepare their SCA strategies, enabling them to tie in and utilise technology to manage the interactions and properly integrate elements required for an effective and uninterrupted customer journey,” he said. “It’s vital now that organisations make the absolute best of this time to get their processes in order and to ensure both compliance and continuity, post-rollout.
“Undoubtedly, over the past year many organisations will have been distracted from this SCA implementation work, as they rushed to transform how they work and implement new or improved digital services almost overnight in response to the pandemic. This extra time provided by the FCA is likely reflective of this and intended to give organisations the opportunity to get back to their implementation activity, not just to achieve a minimum standard to meet the deadline, but to implement multi-level risk analysis and fraud prevention process, integrating aspects of Digital Identity technology, phone risk intelligence analysis and transaction risk analysis as appropriate for the customer journey.
“Of course, there is a potential downside to the delay with respect to the continually growing threat of fraud itself on the UK public. As the most recent LexisNexis Cybercrime Report showed, we are seeing greater automation by fraudsters, increasing credential testing and growing social engineering and scams. Automated bot attacks increased designed to mass test stolen identity credentials increased by a massive 44% in just the second half of 2020. This is a clear sign that fraudulent entities are increasing their capability to attack at speed. Don’t forget, the extension to allow firms to implement their SCA requirements is also an extension for fraudsters, allowing them time to refine their attack methodologies to circumvent SCA processes. This presents a particularly big risk for businesses that are only planning to address the minimum needs of SCA, as fraudsters will no doubt be scheming to target the low hanging fruit opportunities first, where only basic checks are in place.”