PSD2: The European Payments Revolution? Part 2b: What are the Problems with SCA in Europe?16th June 2021
Strong Customer Authentication (SCA) is a mandate introduced as part of PSD2 to reduce fraud and make card transactions safer for consumers. In our previous blog post, we provided an overview of SCA and outlined the high rates of transaction failure seen in Europe on transactions requiring SCA.
We continue our review of PSD2 in this blog with a focus some of the problems identified by the payments industry in relation to SCA compliance. This is our third blog in a six-part series intended to provide a review of PSD2, three years on from its entry into force.
Problems Identified by Merchants
As discussed in our previous blog post, the average rate of failure on transactions challenged for SCA through 3DS was 30% as of April 2020 (CMSPI estimate). It’s clear that transaction failure is high across Europe and there are a number of reasons as to why that is the case. CMSPI has reached out to merchants to identify some of the issues they face to provide more context behind failure rates observed across Europe.
Lack of readiness
The first problem identified is that there is a lack of issuer readiness in certain European countries with low levels of 3DS cardholder enrolment and low levels of customer awareness. What this effectively means is that it is virtually impossible for SCA to be carried out on these transactions resulting in significant declines. Furthermore, even in instances where cards may be enrolled for 3DS, the lack of consumer awareness means transactions are more likely to be declined when challenged for two-factor authentication. To add further problems, merchants are also identifying significant time-out and latency issues when customers go through the 3DS protocol leading to situations where consumers abandon the transaction either due to an error on the 3DS page or because the 3DS page is taking too long to load.
Lack of exemption usage
Furthermore, merchants are also seeing low levels of exemption usage and acceptance. Stakeholders appear to be taking an overly cautious approach to exemptions with an emphasis on compliance. For example, issuers in certain countries appear to be misinterpreting the fraud threshold requirements for the Transaction Risk Analysis (TRA) exemption (more details on exemptions will follow in our next blog post). TRA can be conducted by either the issuer or acquirer on certain value thresholds depending on their average fraud rates (see table below for reference fraud rates). As far as the regulation is concerned, the fraud rate of the PSP conducting the TRA is what determines the value threshold. That is, if an acquirer is performing the TRA, then the acquirer’s average fraud rate will solely determine the maximum value on which TRA can be conducted even if the issuer’s average fraud rate is significantly higher. However, issuers are only considering their own fraud rates when determining whether to accept acquirer TRA, and thus misinterpreting the fraud threshold requirement, even if the acquirer’s fraud rate is significantly lower than theirs. This is of course leading to further declined transactions.
Source – Commission Delegated Regulation (EU) 2018/389 (SCA Regulatory Technical Standards)
Lack of Clarity
Finally, there is still a lot of uncertainty in relation to some of the provisions included for merchant-initiated transactions. While these transactions are out of scope, there are certain conditions that must be fulfilled for these transactions to fall outside of the scope of SCA. There is still a lot of uncertainty surrounding these conditions as well as whether certain transactions fall under this category and are therefore exempt from SCA requirements. More details on the issues surrounding merchant-initiated transactions can be found in our report here. This lack of clarity means that merchants may be forced to take an overly cautious approach in interpreting the regulation surrounding merchant-initiated transactions and unnecessarily put sales at risk due to extra friction introduced through SCA. Alternatively, merchants could risk misinterpreting the regulation and face transactions being declined. What’s more, given that the consumer is typically not available for authentication for these transactions, it would be virtually impossible for these transactions to be re-tried for authentication should these transactions be declined.
Various delays and entry into force
The initial deadline for SCA compliance was set for the 14th September 2019. This deadline was intended as a ‘cliff-edge’ deadline which meant all relevant transactions following this deadline would immediately face two-factor authentication requirements as part of SCA.
However, due to the lack of industry readiness, the enforcement deadline was delayed and pushed back to the 31st December 2020 by the EBA. This was following an earlier announcement by the EBA that National Competent Authorities (NCAs) would be permitted to provide ‘limited additional time’ to Payment Service Providers (source). The EBA did recommend NCAs take a consistent approach towards the SCA migration period when they later announced the new 31st December 2020 enforcement deadline, however, it did not mandate NCAs do so. This left NCAs with the possibility of introducing different migration plans. For example, the Financial Conduct Authority pushed the deadline back for UK issuers to 14th March 2021. It is important to note that these delays were announced prior to the COVID-19 pandemic.
As the pandemic began to take hold, the UK’s Financial Conduct Authority announced a further six-month delay pushing the final deadline to the 14th September 2021. This deadline has recently been pushed further back to the 14th March 2022. The EBA, however, did not extend the European deadline further in light of the pandemic resulting in NCAs announcing their own deadlines. Different approaches were chosen by NCAs with some announcing delays to enforcement and others sticking to the 31st December 2020 deadline. Furthermore, phased ramp-up delays were announced by some NCAs helping avoid a ‘cliff-edge’ implementation approach. These phased ramp-delays effectively meant enforcement would begin on larger value (lower volume, higher risk) transactions and progress down to smaller value (higher volume, lower risk) transactions as time progressed. The table below provides insight on the approaches taken by various NCAs (source).
As illustrated, the approach taken by various NCAs has varied which could arguably have been avoided had a further delay been announced by the EBA. This is particularly frustrating for cross-border retailers selling products to consumers in other EU member states as they would now have a wide variety of deadlines they would need to consider. Furthermore, certain member states failed to take a phased approach to enforcement meaning the ecosystem would not have a buffer during which problems with SCA could be identified and solved while only impacting a subset of eligible transactions.
Strong Customer Authentication was introduced as part of PSD2 to bring greater levels of security to card payments and reduce fraud. However, as we’ve illustrated in our previous blog post, SCA has introduced significant friction to online payments with failure rates on challenged transactions as high as 45% in some countries (CMSPI estimate). These high rates of failure are the result of a combination of factors that can be summarised as a lack of readiness, clarity and exemption usage. If these issues are not addressed soon and failure rates remain as high as they are in Europe, our estimates suggest merchants across Europe could stand to lose €86 billion on an annual basis.
In our next blog post we will provide some more information on exemptions to SCA.