Update On Strong Customer Authentication (SCA) Enforcement Dates

Update On Strong Customer Authentication (SCA) Enforcement Dates

Martin Koderisch
July 2, 2020

UK/EU post-Brexit negotiations recently stalled again. Any economic trade deal between is to some extent dependent on both sides maintaining ‘continued regulatory alignment’ and avoiding ‘regulatory divergence'. In the world of payments regulation, there is evidence of the latter taking place. Enforcement of new Strong Customer Authentication rules is a case in point. The EU’s new Strong Customer Authentication (SCA) rules were developed by the European Banking Authority as part of PSD when the UK was firmly part of the EU. Both sides are now diverging on when to start enforcement of these rules that are expected to have a game-changing impact on e-commerce payments. We have previously outlined the SCA rules and their impact.

The key takeaway is that because SCA rules target banks and make them legally responsible and liable for e-commerce payment fraud,  merchants no longer have full control of their customers' check-out experience. Under the SCA rules, issuers are required to (1) introduce new security steps  - two-factor authentication -  on all remote payments to positively confirm cardholder identify at check-out, and (2) decline all non-compliant authorisation requests from merchants that cannot support these additional checks. Hence, the change could potentially cause significant commercial damage to unprepared merchants.

The rules were due to be subject to full regulatory enforcement action from 1 Sept 2019. However, for various reasons the industry was not ready to make the change so the date was extended to allow more time for the industry to fully prepare. The date was extended to 31 Dec 2020 across the EU apart from in the UK where the FCA – the UK’s national competent authority and financial regulator – decided to allow for an extra 3 months and set the date to the 14 March 2021 .Back in Sept 2019, this extended timeline was considered by most industry stakeholders to be ample. However, the unprecedented impact of COVID-19 has - one would think - altered this view. Accordingly, the UK’s FCA was reasonably quick to react and publicly announced, on 30th April, a further 6-month extension to the SCA enforcement date. Hence, full regulatory enforcement action will start after 14th Sept 2021. The FCA said:

"In the exceptional circumstances of the Covid crisis, we are giving the industry an additional 6 months to implement strong customer authentication (SCA) for e-commerce. This will minimise potential disruption to consumers and merchants. The new timeline of 14 September 2021 replaces the 14 March 2021 date. …After 14 September 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action".

By contrast, after much lobbying from the e-commerce industry requesting a similar extension, the European Commission communicated in a letter to a number of e-commerce industry participants on the 17th June 2020 that the 3December 2020 enforcement deadline for SCA remains and will not be extended as a result of COVID-19 crisis. The letter, sent by Valdis Dombrovski (Executive Vice-President of the European Commission), puts forwards several factors in support of the EC’s decision not to extend:

“[The] rules on Strong Customer Authentication have been known to the market since at least November 2017 and clarified at multiple occasions by the EBA, either with targeted guidance or through its Q&A tool.” “The EBA already addressed some of this operational challenges through its statement of March 25 2020, lifting the first deadline for national competent authorities’ obligation to report by March 31, 2020, on industry’s readiness to meet the Strong Customer Authentication requirements for e­commerce card-based transactions.” “The Covid-19 pandemic has increased the volume of e-commerce and consequently of online payments. It can be expected that many EU consumers will maintain these new payment habits. This would call more than ever before for robust and innovative strong authentication methods. Delaying them further could undermine customer trust in e­commerce, and slow down the deployment of new and innovative state-of-the-art authentication methods in the EU.”

So, what was a 3 month ‘regulatory divergence’ between the EU and UK, has now become 9 months. The SCA saga will no doubt continue and it provides some insight into the Brexit challenges faced by the UK and EU in agreeing on economic trade deal.

But back to SCA. The European merchant community now has under 6 months to prepare for the SCA enforcement deadline. An extremely tight timeline further compounded by the critical Q3/Q4 retail selling season which normally sees a suspension of IT projects on e-commerce websites from November till January.

So what are the consequences of not being compliant? What does it mean in practical terms? For merchants, the key thing to remember is that if you are not able to support an issuer SCA procedure, the issuer will be legally required to decline your payment requests. A payment decline means a checkout can not be completed, the sale is lost and the customer is unhappy. Most industry surveys suggest that, for the most part, issuers and acquirers will be ready. But the long tail of e-commerce merchants may not be. Part of the problem is that merchants are at the receiving end of the payment value chain and there is a tendency for merchants to be very reliant on their payment providers (PSP) and to assume they are being adequately looked after. The reality is that PSPs are at different states of readiness themselves. Many will be relying on basic solutions to achieve a minimal level of SCA compliance. This does reduce some of the non-compliant payment decline risks, but these ‘Band-Aid’ solutions are far from optimal and will result in extra customer checkout friction and a poor customer experience which have historically resulted in rising abandoned checkouts. Checkout abandonment can cause significant commercial damage to merchants in terms of lower conversion rates, lost sales, customer dissatisfaction, negative word of mouth, loss of loyalty, negative social media, etc. EDC is supporting merchants to prepare for SCA starting with proactively checking and evaluating what SCA solution their PSPs are using, checking for any compliance blind spots and assessing the actual 'SCA revenue at risk’.

EDC is also supporting clients to go beyond pure SCA compliance to achieve greater levels of transformation of their business. Forward-thinking clients see SCA, not as a compliance exercise nor technical problem but a commercial opportunity. EDC is supporting them to define and implement an SCA strategy with the goal of developing a best in class SCA customer experience that will deliver competitive advantage with which to drive desired commercial outcomes.

Read our other articles on SCA here.

The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).

Engage with EDC

Lets discuss how EDC can assist your business

Connect with us

Become part of
the EDC team

Want to join the EDC team?

Find out more
Back to top