After 15 months of banging the drum at any industry event I was speaking at, it finally looks as if we’re getting a response to my warning calls that the EBA’s Regulatory Technical Standards for Strong Customer Authentication (RTSSCA) would bring European ecommerce to its knees.
The risk of a £45bn hit on ecommerce markets in the UK and €160bn across Europe seems to have focused minds with the EBA now acknowledging ‘the complexity of the payments markets across the EU and the necessary changes… which may be challenging and may lead to some actors in the payments chain not being ready.’. It’s rather surprising that this realisation seems to have just dawned on them despite the fact that card schemes, acquirers, processors, gateways and merchants have been telling them for a long time that their suggestions were probably the most ludicrous piece of legislation to come out of Europe – and that’s saying something! It’s over 1000 days ago that the EBA launched its first consultation in August 2016 and Vendorcom and its members first realised the car crash of unintended consequences that was to come.
However, we are where we are and the EBA’s belated ‘Opinion’ on 21st June has now delivered a magical world of ‘supervisory flexibility’ that the 31 Competent Authorities (CAs) across Europe are trying to respond to. The EBA is looking for plans that meet their demands that any relaxation in the enforcement of RTSSCA should ‘…be on an exceptional basis…’; ‘…monitor execution…’; ‘…ensure swift compliance…’; ‘…set up a migration plan…’; ‘… request relevant information…’; and ‘…achieve consistency across EU…’. Good luck with that!
The banks/issuers are waking up from their stupor and beginning to realise that their siloed approach to payments have left them sleep walking towards the SCA cliff edge.
The hunger for clarity is now raging across the merchant payments world and it’s time for the EBA and Competent Authorities to shake off their negligence of the past 480 days. The European Regulatory authorities have got us into this mess and, unfortunately, only they can get us out!
The payments ecosystem needs a strong mandate from the EBA and CAs to drive the collaborative change that will be necessary to deliver a consistent, ubiquitous approach.
Fifteen years ago, I had the privilege of sitting on the UK Chip & PIN Programme Management Organisation (PMO). This group, instigated by the Association for Payment Clearing Services (APACS), was highly effective in taking all aspects of the transition into consideration and keeping the Technical, Operational and Communications strands aligned.
As we move closer to the possibility of a transitional implementation beyond ‘SCAday’, I hope we will see a similar group set up to ensure that the implications of developments in one strand are appreciated by all stakeholders who have a role in the effective, seamless rollout of RTSSCA into the merchant to citizen/consumer payment value chain.
In chip & PIN, we had the advantage of an international standard that had been locked down by a collaborative/market-aware body, EMVCo. Given that the regulatory environment for SCA ‘centres’ on 31 ‘Competent Authorities’, with rules that are so poorly drafted, I believe that in addition to working groups for Technical, Operational, and Communications strands, we must have a Regulatory strand working group to ensure consistency across all regulatory domains. I am not confident that this has much profile in the current debate and urge merchants and payments solutions providers to promote this. After all, the intent of RTS SCA is crucial to maintaining consumer trust in the payments ecosystem. Almost 15 years after locking down fraud in face to face transactions, it’s about time we offered consumers the same level of protection online.
The situation is changing daily at the moment so you can follow my #SCAday countdown as I bring all the latest updates between now and 14th September – and beyond, at https://www.linkedin.com/in/paypaul
Register for FinTech Connect on 3–4 December at ExCeL, London.
View the FinTech Connect 2019 website to find out more
Source: https://www.fintechconnect.com/regtech-security/articles/sca-sense-prevails
