The latest enforcement delay of strong customer authentication (SCA) in the UK is at once hard to believe and expected.
Hard to believe because it marks a series of similar delays, including six months ago and a year ago, and twice before that, which is enough to have you saying, “You’ve got to be kidding.” But totally expected because neither merchants, nor their customers, nor their banks are ready to live by the rules that come with the payment regulation.
My colleague and Signifyd co-founder Michael Liberty has said that the delays are understandable, given the complexity of the latest payment regulations. But that doesn’t make it any easier on the merchants who ultimately have to implement the new online commerce safeguards.
“The uncertainty can be frustrating,” Liberty added. “Each time there is a delay, it throws development roadmaps into turmoil because every merchant is developer-constrained and has competing priorities.”
- The Financial Conduct Authority has once again pushed back the enforcement of strong customer authentication (SCA), a requirement under PSD2. The FCA noted that merchants and financial institutions are not yet ready for an SCA world. Enforcement has been pushed from 14 September to 14 March 2022.
- The requirement is already being enforced across much of Europe. Where SCA is being enforced merchants are losing up to 30% of conversions.
- Some banks have said they are going ahead with SCA no matter the deadline, meaning some UK transactions will be subject to SCA before the enforcement deadline arrives
Here we are six years and five enforcement deadlines later, still wondering when the rules are actually going to be enforced. You wouldn’t blame retailers in the UK for thinking the change is never going to happen.
I’ve got news for merchants, news they already know: SCA is going to happen — really. The latest six-month delay is a precious opportunity to get it right. The alternative is losing up to 30% of conversions, according to CMS Payments Intelligence Inc.
The Financial Conduct Authority (FCA) concluded that the UK was unprepared and wisely pushed back enforcement of SCA until March. Signifyd’s own market research points to the lack of preparation — and possibly the lack of awareness — among merchants.
SCA has consumers worried. Merchants? Not so much
While less than 13% of UK merchants listed SCA as among their top concerns this year, according to a Signifyd survey conducted by Upwave. Nearly 47% of UK consumers in a separate Signifyd survey said they were somewhat or very likely to give up on transactions that required the kind of customer authentication that SCA requires.
As a further sign that retailers have not fully processed the likely effects of SCA, nearly 72% of retailers surveyed said they expected to see either no change or an increase in their conversion rate under the payments regulation. Never mind CMS Payments’ finding that in countries where SCA is being enforced, merchants are losing 30% of their transactions.
The reasons for the erosion in conversions under SCA are not complicated. The new regulation requires that a consumer be authenticated by two out of three of the following:
- Something the user knows (like a one-time passcode)
- Something the user has (like a mobile device)
- Something the user is (fingerprint, facial recognition, typing behavior)
While the extra authentication steps will no doubt provide better protection from fraud, they could have unintended consequences when it comes to the customer experience a merchant provides.
Each verification method introduces the possibility of adding friction to the buying experience, including having to move from a merchant’s site to a banking site and back to the merchant’s site. There are ways to avoid SCA in some cases through the use of exemptions and exceptions, but in other cases, SCA cannot be avoided. In those cases, merchants will want to build or turn to a technology-based solution that can intelligently route orders through the authentication process in the least disruptive way possible depending on the order’s characteristics.
Take the six months of breathing room and update your entire risk management strategy
Getting that solution up and running seamlessly would be a great use of the sixth-month reprieve.
Retailers would also be wise to use the coming months to reassess their entire fraud-protection strategy and confirm that it is ready for the SCA era. Fraud is constantly changing and fraudsters are constantly looking for vulnerable targets to attack.
With SCA already being enforced in much of the European Economic Area, it’s likely that fraud rings will turn their attention to the UK where the extra protection of SCA is not yet in force. Merchants will want to be prepared today for more — and more innovative — attacks.
Banks may turn to SCA — ready-or-not
One more thing: There is nothing stopping banks that issue consumers’ credit cards from launching SCA before the spring deadline. In fact, our research indicates that major issuing banks are likely to go ahead with their SCA implementations, meaning a significant number of UK consumers’ transactions will be subject to SCA, whether the regulation is being actively enforced or not.
Given that some transactions could be subject to SCA at any moment is reason enough for merchants to speed up their SCA rollout. Otherwise, consumers will be confused when they are faced with the need to suddenly authenticate themselves on a bank’s website before being able to make a purchase on a retailer’s website.
While many aren’t ready for SCA, Signifyd is. Signifyd’s Seamless SCA solution provides merchants with the ability to meet the regulation without creating friction for their customers. Seamless SCA’s pre-authorization approach sees to it that retailers send only the cleanest traffic to banks for authorization. Our intelligent system routes transactions in real-time down the path of least resistance — and highest efficiency — by considering whether the order is subject to SCA and if so, further considering the bank’s propensity to accepting exemptions to SCA.
So, rest assured: Help is available.
To merchants who are frustrated by the mixed messages and changing deadlines, we say, “We get it.” If we were in your shoes we’d be tempted to throw up our hands and ignore the on-again, off-again SCA requirements. But you know that’s a mistake and we know that’s a mistake.
That’s why we suggest the wiser course: Just get SCA done. You’re going to need it.
Photo by Getty Images