Strong Customer Authentication (SCA): – why the radio silence?

It’s just crazy that the
European Banking Authority
has not made any public
pronouncements on SCA since 16th October 2019. It is 226 days since
it last issued one of its official ‘opinions’ on
and I think the EBA needs to come out of the closet and say
what its intentions are.

We speak with Paul Rodgers, Chairman ofVendorcom, who shares his
five-point SCA success plan:

Paul Rodgers Chairman of VendorcomPaul Rodgers, Chairman of

What is Strong Customer Authentication

These new rules, introduced in 2018, and to have been enforced from
14th September 2019, are part of the European Union’s (EU)
revised Payment Services Directive (PSD2), and were created to
improve the security of payments and prevent fraud. All payment
service providers within the EU will have to implement the changes
which centre around multi-factor authentication to increase the
security of payments.

However, implementation has been fraught with delays
due to the lack of a coherent plan until just before the initial
2019 deadline. The COVID-19
pandemic has pushed it back still further, and there is currently a
disparity between the revised deadlines adopted by the different
authorities involved. For example, the European Banking Authority
(EBA) is currently maintaining its deadline of 31 December 2020,
and has not adjusted this despite the pressures created by
COVID-19. Meanwhile, the UK’s Financial Conduct Authority (FCA)
has moved its date back six months from 14 March 2021 to 14
September 2021.

In his comments below, Paul calls for clarity, common
sense and collaboration to fix this industry-wide problem.

SCA – why the radio silence?
“It’s just crazy that the European Banking Authority has not
made any public pronouncements on SCA since 16th October 2019. It
is 226 days since it last issued one of its official ‘opinions’
on SCA and I think the EBA needs to come out of the closet and say
what its intentions are.â€

“The lack of clarity is creating turmoil in the
pan-European merchant payments sector and in particular ecommerce.
I know there are private meetings going on with the National
Competent Authorities across Europe but that’s not good enough;
they need to take a public stance.â€

“I’m now calling on the European Commission to
intervene as I think that only the Commission can now take charge
and bring resolution to the impasse that the EBA is

“I think the implementation delay gives us a chance
to rethink. I’m still very much in favour of locking down
security in the ecommerce, mobile and remote areas of merchant
payments but I think we need to look at four or five key

So, what are they – here’s Paul’s five-point
recipe for change

1: SMS, one-time passcodes have to

“We need to use this delay to kill the SMS,
one-time passcode as the primary authenticating element because it
remains insecure and exclusionary and, as such, is not a good way

2: Time to find better security solutions

“We need to take a serious look, instead, at
alternative authentication elements, and specifically biometrics
and behavioural biometrics. But while doing that, we need to
recognise that this could be equally exclusionary in that it is a
tech-based solution for smartphones, which are by no means

3: Smooth the way for ecommerce

“We need to rethink how we remove checkout barriers
from ecommerce, essentially swinging our attention to check-in
authentication when somebody’s engaging in ecommerce.

“This would switch the emphasis to retailers
building relationships and loyalty so that customers spend more
time with them. Possibly, and maybe even necessarily, with some
friction at the check-in point where they’re trying to establish
that relationship and authenticate that new customer as that’s a
good time to do that sort of thing.â€

4: Beware the fraudsters!

“We actually need to recognise that this delay in
SCA implementation could favour fraudsters. Their window of
opportunity has just got bigger – by 184 days! You won’t find
them complaining about the extension or the need to revise the
implementation plan.

“We need to recognise that and have a fresh look at
the fraud tools that we already have and new analytics and
prevention tools.

“There are plenty of solutions providers out there
that can make those available and merchants should be applying
those to actually cover the gap that not doing SCA will create in
our fraud prevention toolkit.

“It’s a travesty that, 14 years after we locked
on fraud in the face-to-face arena, we’re only now focusing in,
in earnest, on protecting and removing fraud from ecommerce, mobile
and remote ecommerce transactions.

“So, it’s a real dilemma. The reality says we
need to delay this, but we can’t just simply say ‘right,
let’s delay, and almost do nothing until 14 September next
year’, it’s a case of delay but really look at what we’re
putting in place in the meantime, because this exposes us.â€

“Sadly, the fraudsters are just loving what we’re
doing at the moment.â€

5: Working together to find a way

“As I have been saying for over a year, it’s time
for the regulators to wake up and stop skirting around the issue of
a collaborative approach to this, and diverting attention from this
issue by placing the responsibility in the hands of UK Finance to
put together this programme of work.

“Those sorts of bodies are no more capable of
creating a collaborative environment than the individual
organisations themselves (predominantly banks) and therefore the
regulator has to use this delay period to find a way of promoting
and sanctioning a much more collaborative environment to progress
this issue.

“Together, we need to find a way of creating that
ubiquitous solution that is easy to understand and use for the
citizen/consumer. In line with that, we also need to focus on
outcomes, not technical compliance.

“It’s about monitoring the readiness of the
market, not just in the deployment of technical solutions but in
the adoption of those solutions by the end consumer.â€

And finally… is politics getting in the way
of market-friendly decisions?

“We also have another opportunity that the EU has
singularly failed to address in the past, which is to align
pan-European compliance deadlines.When the UK’s FCA went for 14
March 2021, the EBA chose the particularly challenging date of 31
December, 2020, I fear that if they offer any further extension to
the period of supervisory flexibility, they will perhaps delay it
by six months, and therefore end up at 30 June, 2021. That would be
an equally illogical date, given that we would be better off
aligning across Europe.

“The EBA is either just trying to be a heavy-handed
regulator and demonstrating that it is the organisation with the
teeth and the controls with no empirical basis for its decisions
and in denial of the facts and market reality.

“Or, it’s a case of, well, the UK has gone for a
sensible 18-month delay, but we can’t be seen to do what the UK
has done because of Brexit. I’m sure that such a political stance
would be denied but, since there are no good reasons not to align
dates, the true motivation will remain open to interpretation. I
hope that the Commission will now hold the EBA to account.â€

Death knell for cross-border

“14 September, 2021 is my preferred date as it
would be two years after the original enforcement date and so would
focus people’s minds. If the EBA were to align with 14 September,
it would give us a chance to all come together, whereas its current
stance undermines the digital single market and cross-border trade
in Europe for consumer payments because cross- border business
between the UK and continental Europe is very difficult to prepare
for and operate when you’ve got two different deadlines.

“Fundamentally, by giving the National Competent
Authorities the ability to set their own deadlines and failing to
recognise the impact COVID-19 has had, there is a continued risk to
the overall wellbeing of the pan-European economy.†Copyright ©
2020 Vendorcom, All rights reserved.

The post Strong
Customer Authentication (SCA): – why the radio silence?

appeared first on The
Fintech Times