UK Finance has been working extensively with the cards industry and retail sector to understand operational readiness for the introduction of strong customer authentication (SCA) in September 2019. As a result, it has approached the FCA for agreement to a managed rollout of SCA for card transactions in an e-commerce context, effectively deferring, subject to conditions, mandatory SCA by 18 months to 14 March 2021.
Due to the cross-border nature of payments, it believes a pan-European approach should be taken, and has provided its Shared Industry Roadmap to Operational Readiness to the European Commission and other national associations in Europe for consideration.
Osborne Clarke has been supporting this significant activity by UK Finance and in this article, we share some insights from this work.
What's the issue?
The new requirements on SCA, aimed at making electronic payment transactions more secure, apply from 14 September 2019. However, despite best efforts, industry readiness is not where it should be. The main reasons for this are:
- Regulatory uncertainty: the requirements underpinning the PSD2 were settled at European level in H1 2018 when the SCA RTS was officially published (March 2018) and an EBA Opinion was published (June 2018). Since then, detailed work on their application has thrown up many questions of scope, interpretation and practical impact, on which consensus views have only recently emerged or are still emerging.
This is particularly the case for the cards industry, given: (i) the network arrangements; (ii) the involvement in the initiation of card transactions of merchants (as payees) and their acquirers (as payee PSPs); and (iii) the associated messaging between them, the relevant card network and the relevant card issuer.
For example, only in June 2018 was it confirmed that acquirers can make use of the SCA exemptions in addition to issuers, and only in March 2019 was it confirmed (via the EBA Single Rulebook PSD2 Q&A facility) that MITs (merchant initiated transactions) are out of scope. While all such questions are now largely answered, this regulatory uncertainty has clearly delayed implementation.
- Delayed availability of technological solutions: the introduction of SCA impacts all participants in the cards ecosystem and demands technological changes by them. A key tool for achieving this is 3D Secure (3DS). This is a global technical solution for authentication. It has been in use by merchants for many years, but activity in the UK is estimated to be fairly low despite mandates from the card schemes.
In addition, the newest version of 3DS, v2, has been designed to improve customer experience over v1.0 with new features including: additional device compatibility, additional functionality for a slicker customer mobile journey (over the slightly clunky OTP sent by SMS) and enhanced capabilities for MITs and certain key exemptions, such as trusted beneficiaries ('white-listing') and transaction risk assessment.
As a result, across the industry, there is both significant non-adoption of 3DS and no consistent approach towards or sequencing of version adoption. To add to this, there have been delays in deliverables by ACS providers for issuer's solutions (a key element of implementation).
- Low awareness: research indicates that more than 75% of merchants are unaware of the new SCA requirements.
What's the impact?
UK Finance's estimates suggest that come September 2019, around 25% of e-commerce card transactions would fail if no deferral action is taken. This is because from then, card issuers would in most cases have to default to 'stepping up' authentication to full SCA.
This in turn would result in transaction declines because the technological solution being used relies on a number of factors, such as a mobile phone number being used for a one time passcode, but also because a large portion of merchants do not support this technological solution. Naturally, this would have hugely negative impacts for consumers and the retail industry.
What's the ask?
The Roadmap seeks a postponement of mandatory SCA by 18 months, to 14 March 2021, offering a managed rollout through to then, with review points at which key metrics would be reported on and industry-wide communication both with merchants and consumers.
- Implementation timelines: the Roadmap assumes that the card schemes (i.e. Visa, Mastercard and Amex) would mandate 3DS v2 for delivery (which is still under discussion), with active supervision starting on 14 March 2021.
- Metrics: the Roadmap proposes three key review metrics: 1. Customer readiness. 2. Retailer readiness. 3. Fraud reduction. The latter is particularly important as it goes to the heart of the SCA requirements.
- Communications: one key part of ensuring 'successful' implementation is strong industry communication, particularly with consumers, to allow then to get used to the 'stepping up' of transaction authentication. Even in the simpler type of contactless transactions, consumers will need to get used to inputting PIN numbers more often when the relevant counter (five transactions or EUR150 cumulatively) has been reached.
What's the scope of this proposal?
The Roadmap is focussed on the cards industry generally, though it recognises that certain sub-sectors may require a different approach, because of additional complexities (mostly other intermediaries). These include hospitality, the third sector and fundraising, physical retail (for changes to point-of-sale terminals) and gaming. However, this will be subject to regulatory agreement.
The FCA and the European Commission and other competent authorities are currently considering the position, so it is very much a case of "watch this space".