By Megan Doyle
The first significant PSD2 delay happened in March 2019, by which all European banks were required to provide testing environments for third-party providers (TPPs). This TPP “sandbox” requirement necessitates banks give third parties at least six months to test authorizing payment services in a testing environment with secure application programming interfaces (APIs), documentation, and support.1 But 41 percent of banks missed the deadline, according to research by open banking platform provider Tink.2
The banks that missed the deadline were left playing catch up, potentially contributing to subsequent delay of the September 14th EU payments directive deadline for SCA requirements.3
The September 14 deadline for SCA requirements was when PSD2 was supposed to go into full effect. But growing demands from the industry and a June opinion published by the European Banking Authority (EBA) led the U.K. Financial Conduct Authority’s (FCA’s) decision to grant banks and payment service providers an extra 18 months to fully implement PSD2 and SCA.4
According to the EBA and FCA, it was necessary to forgo a hard deadline in favor of phased implementation due to the complexity of SCA requirements, the lack of industry preparedness, and to avoid unintended negative consequences for consumers.5,6
Still, the EBA said “sufficient time has been available for the [payments] industry to prepare for the application of SCA, given that the definition of SCA had been set out in PSD2 when it was published in 2015.”7 However, the FCA said it won’t take action against payment providers that missed the September deadline provided they are able to demonstrate they’re working toward compliance. Enforcement is expected to be fragmented across EU countries.8
SCA is a new European regulatory requirement to create stronger payment services across Europe. As defined by PSD2, SCA is an “authentication based on the use of two or more elements categorized as knowledge, possession, and inherence that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”9
In cybersecurity industry parlance, the SCA defines “two-factor authentication.” Further, “knowledge” is something only the user knows, like a password; “possession” is something only the user owns, like a cell phone; and “inherence” is something that the user is, like facial recognition or a fingerprint. SCA has additional technical requirements to resist certain types of cyberattacks.
With PSD2 in full effect, SCA will be required for nearly all customer-initiated online payments within Europe, including most card payments and bank transfers. However, specific types of low-risk payments may be exempt, such as payments below 30 euros, fixed-amount subscriptions, or merchant-initiated transactions.10
Following the delays, some experts are warning that the EU payments industry and consumers could remain unnecessarily vulnerable to fraud, especially as the industry spends time working out the kinks while preparing merchants for SCA implementation. “During this 18-month delay, cybercriminals are sure to capitalize on a retailer’s weak spots and it’s the responsibility of business to shore up defenses at all stages of the customer journey, not only at the payment stage,” Nick Maynard, lead analyst at U.K.-based Juniper Research, told Mobile Payments Today.11
Others, however, see the SCA extension as an opportunity. Specifically, Duncan Barrigan, vice president of product at payments company GoCardless, told PYMNTS.com that the delay is an opportunity for payments service providers “to step back and review [their] payments strategy” and figure out how to reduce friction when implementing SCA.12 Any business that fails to use the 18-month delay to their advantage may end up introducing more friction into their transaction processes, potentially to the detriment of consumers.
A series of delays have affected implementation of the EU’s new PSD2 rules, with most recent delays extending the deadline for enhanced security requirements by 18 months. The delay could end up as a bane or a boon for businesses in the EU payments services industry, which could choose to put off implementing the requirements or use the time to improve their implementations.
Megan Doyle is a business technology writer and researcher based in Wantagh, NY, whose work focuses primarily on financial services technology.
1. “PSD2 Deadline 14 March: Questions You Should Be Asking Yourself,” Ping Identity; https://www.pingidentity.com/en/company/blog/posts/2019/psd2-deadline-march-2019-api-interface.html
2. “What a missed PSD2 deadline says about the challenge of implementation,” Tink; https://tink.com/blog/2019/3/20/psd2-sandbox-status
3. “EBA publishes an Opinion on the elements of strong customer authentication under PSD2,” European Banking Authority; https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2
4. “FCA agrees plan for a phased implementation of Strong Customer Authentication,” U.K. Financial Conduct Authority; https://www.fca.org.uk/news/press-releases/fca-agrees-plan-phased-implementation-strong-customer-authentication
6. “EBA publishes an Opinion on the elements of strong customer authentication under PSD2,” European Banking Authority; https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2
7. “FCA Gives Firms More Time to Comply With Strong Authentication Rules,” Infosecurity Magazine; https://www.infosecurity-magazine.com/news/fca-firms-more-time-strong/
8. “Strong Customer Authentication,” Stripe; https://stripe.com/guides/strong-customer-authentication
9. “ EBA publishes an Opinion on the elements of strong customer authentication under PSD2,” European Banking Authority; https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2
10. “Strong Customer Authentication,” Stripe; https://stripe.com/guides/strong-customer-authentication
11. “Payments fraud remains on the table as PSD2 delay takes hold,” Mobile Payments Today; https://www.mobilepaymentstoday.com/articles/payments-fraud-remains-on-the-table-as-psd2-delay-takes-hold/
12. “SCA Delay: A Payments Opportunity In Disguise?,” PYMNTs.com; https://www.pymnts.com/digital-payments/2019/sca-delay-a-payments-opportunity-in-disguise/