Europe's strong authentication regs mired in confusion
Payment companies have made substantial investments into new identity rules in Europe, but the deadline has become a moving target with different agencies offering conflicting or unclear guidance.
"It's fair to say there's no absolute clarity across the industry," said Hannah Fitzsimons, executive vice president and general manager at Elavon Merchant Services, who is part of the U.S. Bancorp subsidiary's team responsible for building merchant services and partnerships in Europe.
Bank and fintech collaborations are supposed to be easier because of the revised payment service directive (PSD2), a regulation designed to streamline data sharing between banks and technology companies such as mobile payment providers. PSD2 compliance was always expected to be challenging, but the part of the rule that governs identity risk in the e-commerce age has proven to be particularly vexing.
By the original deadline of Sept. 14, companies were supposed to implement strong customer authentication (SCA), or a mix of password, device ID or biometric authentication that uses two keys to unlock an account. The goal of SCA is to migrate away from passwords, but that's nowhere close to happening. Stripe and 451 Research earlier this year showed a major lack of knowledge and readiness for SCA in Europe, estimating the rule could cost up to $75 billion in lost revenue in the first year because of rejected transactions. The payments industry has lobbied for more time and is starting to get some relief.
The U.K.'s Financial Conduct Authority this week extended the September deadline for another 18 months, though there is still some work required by September. The FCA will not take enforcement actions against firms that can prove they have taken steps to comply with the plan.
Other regulators are also making concessions, but not always to the same degree. The Bank of Ireland is delaying the deadline, though the terms of the delay are uncertain beyond the central bank's promise to work with the industry to provide a smooth transition. The European Banking Authority has promised to grant limited extra time for SCA, provided the petitioner has a detailed road map for compliance.
In an email, the FCA's press office said it would engage with regulators to ensure a consistent approach. The EBA did not return a request for comment.
The EBA has issued guidance on SCA, though that guidance has been criticized for not being thorough.
"Some of the guidance is not terribly helpful. RTS stands for Regulatory Technical Standards. But they're not actually regulations, particularly technical, nor are they standards," said Gareth Lodge, a senior analyst at Celent. "How can the banks build solutions when they don’t quite know what they’re building?"
Elavon has been busy in Europe, partnering with software company ePages to combine digital and physical retail technology for small businesses in the U.K. and Ireland, with an expectation of greater geographic expansion.
A deal with Societe Generale will give the bank access to Elavon's cross-border payments technology for businesses in the U.K., Austria, Belgium, Germany and other European markets.
"Our priority has been keeping the dialogue open so the stakeholders we deal with know as much as we do," Fitzsimons said. "At this point everyone is assuming the date in September won't have any enforcement teeth behind it."
Elavon's not alone, as other payment technology companies have also made moves. Stripe earlier this year acquired Touchtech, which built a 3D Secure product that authenticates online card purchases with no passwords or one-time codes, and is designed for PSD2 compliance.
Stripe, which did not return a request for comment, plans to use SCA as part of a global push for its merchant acquiring and payment software businesses, predicting that PSD2-influenced SCA will encourage global markets to make similar migrations.
Elavon has worked on 3D Secure, the updated authorization standard that's closely tied to overall PSD2 compliance; and artificial intelligence, to ease PSD2 and SCA migrations for its partners in Europe.
Beyond the delays, the migration is coming, and is necessary, Fitzsimons said. "Enforcing authentication is a good thing, it's going to drive down fraud. We're looking at ideas around how we can better verify our customers and their clients."
Europe's stagnant SCA migration comes within the broader context of a global push to replace static authentication like passwords and government IDs such as Social Security numbers with digital ID that's interoperable and transferable. That effort has lots of support, though it comes with uncertainty due to competitiveness between private firms and inconsistent international standards. So even if Europe's SCA migration gets on track, there's still work to do to ensure digital ID can keep up with other advancements in digital commerce.
"It will take years for it to be clear where the greatest opportunities will come," Fitzsimons said.