On February 5th the payments industry got together in a grey and drizzly Brussels to face off and discuss the future of EU payments, the revised Payment Service Directive (PSD2), and, most notably, 'strong customer authentication' (SCA).
For those new to EU payments law, the existing payments service directive (PSD1) was adopted in 2007 with the objective of making cross border payments easy, secure and efficient across the member states. The new payment service directive (PSD2) looks to modernize the existing law.
Since 2007 the payments space has changed. It’s an emerging market where many new and innovative types of payments service providers have emerged – think Monzo, Neat, Alipay, WeChat Pay, ApplePay, . “These service providers have brought innovation and competition, providing more, often cheaper, alternatives for payments, but were previously unregulated” explained the European Commission. PSD2 seeks to enhance efficiency, ensure a level playing field (including for new players) and protect consumers.
Centred around these objectives have been several controversial mandates, one of the most prevalent being strong customer authentication (SCA). Before going any further let me explain what this term means.
SCA is a new mandatory requirement for authenticating a payment made via the internet. Customers must use two out of the three elements set out in the regulation to authenticate a payment before it gets processed. The three elements of authentication are: something the customer knows (e.g. a password), something the customer has (e.g. a mobile phone) and something a customer is (e.g. a finger print).
As a consequence of the intent to protect consumers from fraud, the SCA has created some hurdles for the industry, specially where subscription services exist. In today’s world many of us use our various payment methods to take care of our bills, like our mobile phones, subscribe to services like Netflix, and top up accounts like transport services. We hand over our payment details and let the payment providers do the rest. With SCA customers will need to authenticate each of their subscription payments, sometime multiple times. Some industry participants at the event expressed concern over this requirement claiming that it will be too onerous on their clients, creating delays in payments and possible loss of clients.
During the forum representatives from the European Banking Authority (EBA) contested various questions regarding this matter and replied that industry should review the guidance notes and Q&A tool published on their website.
In review of the supplementing Directive (EU) 2015/2366 of the European Parliament with regard to regulatory technical standards for SCA, I noted an interesting exemption: when the customer makes a series of recurring payments for the same amount to the same business SCA will apply on the first payment but not for the reoccurring ones. For example, if your gas bill is set to a fixed amount, say €35, and you authorize your gas company to charge your credit card or e-wallet every month, then you will only need to authenticate this payment subscription once. However, if they amount is variable then you will have to authenticate each time.
However, before you breathe a sigh of relief, pay attention to the definition. It must always be for the same amount, otherwise SCA will apply, again and again. While subscription payments are often periodic and made to the same business, more companies are using a variable rate (also known as a metered rate).
Furthermore, I noted that Visa Europe has posted a consultation question on the EBA website asking them to consider exempting the credit card-initiated payments from SCA, as this hampers their use to make payments on subscription services.
“...payment cards are widely used for standing instructions where the payee pulls transactions from a payment card according to the conditions agreed with the payer. This would be the case for subscriptions to services, such as multimedia platforms on the internet or payment of utilities; payments in instalments; or top-up of a closed loop account (e.g. a card usable for public transport services).”
In reviewing the EBA’s response on this matter, I noted they have been flexible in exempting the credit card-initiated payments so long as the amount is always the same. However, the issue regarding variable amounts remains uncontested.
Taking a strategic view of the medium and long term of EU payments regulation, Javier Perez, President of MasterCard Europe, summarized it best: “Ideally payments will disappear and be fully, seamlessly embedded in the shopping action, with no extra efforts needed." It will be interesting to see if regulators share this view or continue to seek ways to introduce friction into the consumer experience. Either way, for the consumers and those innovating in this space, the future is bright as regulators are keen to support the innovation and those who are interested in diving into the payment space!
Carlos is a Senior Consultant at KorumLegal and has extensive experience in the payments and compliance area. As our "Flexible Traveller", Carlos is based in Berlin, works for Asia-based clients, and pays frequent visits to our Hong Kong and London offices.