The introduction of discretionary extensions to the September 14 deadline for strong customer authentication (SCA) by the European Banking Authority (EBA) is an indication of the complexity and ambiguity of the requirements themselves, and not an unpreparedness in the industry, according to payments market participants.
“The new SCA requirements have always been a complex, ambitious and in some way ambiguous piece of legislation,” said Jackie Barwell, director of fraud product management at ACI Worldwide, in an email. “The need for repeated opinion documents to ensure the interpretation of the new rules is correct underlines this. The fact that some firms may not hit the deadline is partly due the complexity and ambiguity of the legislation rather than a lack of preparation by the industry.
“We have seen a real concerted effort in the industry to prepare for the new authentication requirements and to meet the September deadline. The possibility of a deadline extension is a welcome step by the EBA to support firms struggling to meet SCA compliance requirements.”
For Andrea Dunlop, Paysafe CEO of merchant acquiring in Europe, a pragmatic approach to legislation is one that has always been championed by the industry. “I am sure that the news of the increased flexibility to allow for this transition will be welcomed by many. The industry can refocus on providing the best possible solution in line with the objectives of SCA, rather than being limited to an approach of strict compliance with the regulation that the impending deadline had enforced.”
The European Banking Authority (EBA) published a new opinion paper on SCA under the revised Payments Services Directive (PSD2). According to a press statement accompanying the news, the EBA’s opinion is a response to “continued queries from market actors as to which authentication approaches the EBA considers to be compliant under SCA … also concerns about the preparedness and compliance of some in the payments chain.”
Channels and deadlines
“I think there’s probably a number of factors involved here, and probably mostly to do with where people are with their PSD2 programs,” says Chris Stephens, head of banking solutions at Callsign. “One of the biggest challenges might be that you are prepared in one channel but in others it’s harder to become compliant.
“I think a lot of the bigger organizations are prepared and are probably already compliant, but there are some smaller guys that are really having to look at the impact on them and realizing that it does actually impact them because certain products are in scope which might not be part of their core business.”
Paysafe’s Dunlop expects there will be numerous companies seeking an extension on the deadline. “This extension period will most likely be at least a year and should give these companies the time they need to ensure that SCA has a positive outcome for both consumers and merchants.”
The extensions will only be granted by the EBA if a PSP has a sufficient migration plan in place which has been approved by its relevant NCA.
An FCA spokesperson said: “The new rules are intended to tackle fraud, which is a priority for us. But we recognize the need to minimize the potential disruption to customers as these changes are brought in.”
According to a source close to the matter, the FCA is planning an announcement later this week and PSPs are in consultation with the regulator prior to making official statements.
A spokesperson for Visa wrote in an email: “The EBA has published additional guidance on the elements of Strong Customer Authentication under PSD2. This involves information which has significant implications for the ecosystem approach to SCA. Visa is carefully analyzing the impact of this guidance together with our partners, clients and regulators and we will update our position”.
Additional details were also provided by the regulator on the three elements of SCA – possession, inherence and knowledge. The EBA clarified that it does not believe card details can be used to prove possession unless a dynamic number is generated. It also stated that while inherence can include behavioral biometrics, it must be limited to body parts, psychological characteristics and behavioral processes created by the human body.
“It’s interesting how the inherence factors have been expanded in the opinion paper,” says Stephens. “For the last couple of years, we’ve been asked by a lot of organizations whether behavioral biometrics acts as one of the factors. It’s encouraging and is probably down to some of the technical advancements that have happened since the regulation first came out.”