In so many ways, this moment seemed inevitable. The PSD2’s final Regulatory Technical Standard (RTS) deadline is right around the corner, and many of Europe’s banks and providers of payment services aren’t even close to meeting it.
As much anxiety as the looming September 14th deadline has caused, an ultimate extension to the PSD2 has long been in the cards. This mood was established back on March 14th, when the first deadline passed (if somewhat silently) for banks to roll out the implementation of “dedicated interfaces” (ie; open APIs) ready for testing by payment initiation and account information service providers.
When 41 percent of banks missed that deadline, concerned murmurs turned into woeful groans as the continent’s financial industry awakened to the reality of what it would really take to unleash Open Banking in Europe.
While the EBA has stated repeatedly that it believes enough time has passed since the PSD2’s 2015 original notification was issued, the regulator has also acknowledged that there are legitimate concerns remaining about the readiness of payment providers across most of the European Economic Area (EEA), the area to be affected by PSD2.
Following a statement made last June, the EBA said that it would allow some businesses, on an “exceptional basis,” to apply for an extension to the final PSD2 deadline, but only if the providers were cleared by national authorities. Having largely failed to open up APIs to third-party providers and faced with urgent requirements to introduce the PSD2’s Strong Customer Authentication (SCA) two-factor process by September 14, most banks have balked.
“The new SCA requirements have always been a complex, ambitious and in some way ambiguous piece of legislation,” said Jackie Barwell, director of fraud product management at ACI Worldwide.
“The need for repeated opinion documents to ensure the interpretation of the new rules are correct underlines this,” she added, referring to the EBA’s June review, which clarified that credit/debit card data would not count as an authentication factor for complying with SCA regulations, contrary to what many banks had previously believed and planned for.
“The fact that some firms may not hit the deadline is partly due to the complexity and ambiguity of the legislation rather than a lack of preparation by the industry,” she affirmed.
18- to 36-month extensions
Several national financial regulators across Europe have already acted. With the legal blessing from the EBA, regulatory authorities in the UK and Ireland have issued the availability of 18-month delays, while Germany and Greece are prepared to follow suit.
However, this deadline still may not be sufficient. Taking the advice of the EPSM, a payments industry association, to allow for extensions as long as 36-months, France’s regulator Banque de France released an annual report stating that it had created a multi-step migration plan, which aims to have the clear majority of French companies SCA compliant by December 2020, with a full deadline earmarked for 2022.
The EBA has supported the move by Banque de France, reaffirming that payment providers, in particular, must meet some additional guidelines in order to be awarded this extension, including the official provision of a migration plan that outlines the company’s timeline to come into compliance.
Yet, while the two main pain points woven into the full PSD2 deadline — opening APIs and introducing SCA — have proven to be more complex than thought, this should not be seen as a blanket judgment for all of Europe’s businesses.
Since the PSD2’s March deadline passed, many of Europe’s largest banks have introduced sandboxes for TPPs via API portals. As of June, about 97 percent of the major European banks now provide accessible online sandboxes. However, many of those sandboxes aren’t actually PSD2-compliant because the products they offer are substandard in terms of functionality, stability, accessibility, and quality of data. .
This is problematic because instead of upgrading Open Banking services thanks to increased ease of access, many of these APIs will degrade or paralyze them completely.
The clearest example is access to personal data or accessory information contained in payment accounts. While current systems (based on web scraping) allow TPPs to gather a host of account holder information, most dedicated APIs don’t provide personal data on the account owner because banks claim this information is beyond the purview of PSD2. However, this information is necessary for many applications, such as credit risk analysis using account aggregation, or to verify the identity of the payment issuer for regulated services such as those provided by money transfer companies.
Because of this, many TPPs now favor an approach that allows them to use their current technology as a fallback mechanism in replacement of dedicated interface access, but incorporating systems that allow them to authenticate themselves before the bank as licensed AISPs/PISPs. This approach is still being discussed regulators and as of now there is no final resolution on this issue.
An extension of the deadline would solve this problem because it would allow TPPs to continue with business as usual until the requirements of the directive and the banks’ APIs are refined further and therefore don’t represent a downgrade in quality of service.
The problem of SCA
Whereas open APIs are easy to monitor — being by their very nature “open” for all to see — SCA requirements are viewed from the opposite side of the spectrum: the encrypted world of cybersecurity. There is thus at the time of writing scant information available to the public about how far many providers of payment services and banks have moved ahead in the rollout of the now-notorious SCA requirements.
According to this public register that tracks the progress of open banking, there is still no data available that would help ascertain how far along the two-factor authentication process has come within the major banks of Europe. However, several payment providers have made public their compliance with SCA, including Amazon Pay, Stripe and PayPal.
Under EBA law, SCA regulations will apply when the acquiring bank or processor and customer’s payment instrument is issued in the EEA, an area that includes all European Union member states as well as Iceland, Liechtenstein, and Norway. This leaves little room to hide, as the legislation covers most of the economic activity of the continent.
If the EBA’s decision to issue a June opinion is read as a signal, the implementation of SCA thus far doesn’t look good.
Yet, it is the SCA that promises to have the largest immediate impact on online commerce, and thus guaranteed to be a subject of contention, debate and speculation for the long run.
The EBA’s rationale for implementing SCA as a final measure to the PSD2 comes from the desire to engineer a protective backstop within the open banking ecosystem to plug up a predicted rise in cybercrime. Indeed, combating the rise of online fraud has become a priority that is commensurate with the global boom in e-commerce.
According to Euromonitor International, global consumers will spend an estimated $6.77 trillion on goods and services bought online this year — double the online spend from five years ago.
Cybercrime thrives off of this large digital volume of commerce because transactions that are completed without physical cards are much more susceptible to fraud. Indeed, Mastercard estimates the fraud rate for online transactions is about 10 times what they see for in-store transactions.
Given that 10 percent of all consumer payment transactions in Europe are executed through digital devices, with that rate promised to only rise in the coming years, the EBA’s direction to enforce greater authentication measures for digital payments is forged upon good reason.
Another “GDPR moment”
Yet, while online retailers remain incredibly exposed to losses associated with these cyberattacks, they are equally dismayed by the prospects of the advent of SCA. There has been palpable panic through the rank and file of e-commerce firms, which have rung the warning bells alerting the continent of “another GDPR” moment.
Exponents of CX optimization are sweating — they face an impasse that threatens to dismantle the fruit of long hours spent building the perfect sales funnel.
“Merchants have done everything to optimize the consumer journey over the years and now suddenly this regulation will cause more friction,” said Charles Damen, senior vice president of payments strategy for payment processor Worldpay.
However, he stopped short of spreading any unjust fears. “I do think there will be chaos initially,” Damen said. “What has not happened enough is that both issuers and certain merchants have not really communicated about the impact to their consumers,” he added.
Several recent studies, however, claim there is still plenty of cause for worry. A June report conducted by online payments provider Stripe forecasted that Europe stands to lose €57 billion of economic activity in the first 12 months after SCA takes effect. This loss is mostly related to the predicted plummet in user experience.
Presented with a suddenly new process to enter at least two new factors for payment authentication, the average customer is expected to experience at least a basic level of friction, if not a full-on crash in usability.
“[Businesses] might have to accommodate at the beginning because the first time may not be seamless or intuitive,” says Gilberto Caldart, president of international markets for Mastercard.
The PSD2 final deadline will likely be extended, giving a long (or longer) timeline for online businesses and payment providers to get their act together and prepare for the eventual tidal wave of open banking norms to become enforced, once and for all. No one can say they have not been warned.