National competent authorities have taken an ambiguous position on their enforcement deadlines for strong customer authentication — which has left the market unsure about how much flexibility there is, sources say.
Since the start of the year, national competent authorities in the EU are supposed to have been fully enforcing strong customer authentication (SCA), a requirement of the second Payment Services Directive, at the behest of the European Banking Authority (EBA).
However, some authorities have taken a unilateral approach to the regulatory requirement by implementing a gradual transition to full enforcement through different transaction levels.
SCA, which is meant to tackle card payment fraud, was originally set to be enforced from September 2019. However, the EBA chose to show flexibility, migrating this deadline to December 31, 2020, due to readiness concerns.
However, countries such as Spain and France, as well as those in the Benelux region, have taken a relaxed approach to their implementation of SCA, according to a source familiar with the payments industry. “The idea is saving the Easter holidays, they want to make sure people can shop online,” they said.
While the Banque de France has previously told VIXIO that it is not fully enforcing until July, the Banco de España, Spain’s responsible authority, has said that it is fully enforcing SCA.
However, VIXIO understands that Spain is pursuing a ramp-up strategy.
This comes at the same time as claims that the EBA is also taking a more relaxed approach — even if this is not an attractive prospect for them. “They could see that the industry was hitting a wall,” the source told VIXIO.
Previously, the EBA has warned that countries pursuing ramp-up strategies will face repercussions such as legal action. However, any sanctions or censures are yet to be imposed by the banking watchdog.
Italy and Spain have struggled to adapt to the new compliance requirements set out by SCA, according to data released by the payments consultancy, CMSPI.
“On an EU basis, what we’ve seen in February is an average failure rate of 31 percent across Europe, which isn’t far off what we were seeing with SCA testing data in 2020,” said Callum Godwin, chief economist at CMSPI.
Italy and Spain, however, have significantly higher rates, at an estimated 47 and 37 percent, respectively. “Our data in February so far shows little change, so there is a long way to go,” he added.
When approached for comment, the national competent authorities of Spain and Italy said that they were enforcing SCA, but did not delve into more detail.
“Please take note that the level of adoption of SCA in Italy is satisfactory,” said a spokesperson for the Banca D’Italia. “The situation is monitored with the aim of ensuring both the security and the smooth functioning of remote payment card transactions.”
Commenting on the impact of SCA in the Spain, Juan Salvador Ubeira Ruiz, sales director at the fintech start-up, Feedzai, told VIXIO that in general, Spanish banks had been expecting a delay, as had been the case in France.
This meant any preparations were done in a rush, and conversion was lost, he said.
In addition, there was very little awareness of SCA before it was enforced, he pointed out. “None of the banks did any campaigns and this meant that the first few weeks were a mess,” Ubeira Ruiz said.
“However, now it is in place, I expect adaptation to be quite fast. SCA will be ready by the summer,” he predicted, adding that the market has transitioned to the security protocol, 3D Secure version 2.1 (3DS 2.1) with ease.
In neighbouring Portugal, SCA has been fully enforced and is going well, according to Banco de Portugal. “Some fine-tuning is inevitable in a process of this dimension and involving so many players,” a spokesperson for the central bank told VIXIO, continuing that they have not received any complaints yet regarding non-compliance.
“Overall, there was a considerable effort from the Portuguese market to be fully prepared for the implementation of SCA requirements,” the spokesperson continued, pointing out that issuing payment service providers have now migrated the majority of their cards to the 3DS 2.1 protocol after work in 2020, while any remaining efforts continue this year.