Strong Customer Authentication - a Litmus Test for Europe

For most of the past century, globalisation has been driven by large businesses. The very term multinational conjures the image of a giant corporation whose far flung units touch every corner of the world. 

The internet clearly has changed this equation significantly. Borderless and unparalleled in scale, it allows virtually any business, no matter how small, to reach customers anywhere. And in our part of the world, the European Union’s project of a Digital Single Market has added a political dimension to the technological progress. 

Harmonising regulation and making cross-border online activity easier for both businesses and consumers has played a big role in enabling a new generation of European founders to build and grow pan-European online businesses. Companies like Typeform from Spain, Doctolib from France, Catawiki from the Netherlands, or Voi from Sweden have expanded across the continent in very little time, providing economic success stories of European integration.

However, a massive change to European online commerce is now upon us Strong Customer Authentication (SCA) is one of the biggest regulatory disruptions to the world of payments in decades - both for merchants and consumers. Much has been said about its potential impact. While it will help to tackle fraud online, which threatens to undermine our trust in the internet economy, the economic loss that comes along with the new rules could be as high as €57bn across the continent, due to more friction in checkout processes. 

The reality is that a large part of the industry is still not ready for this seismic shift, despite the original deadline now having passed. On 21 June, the European Banking Authority (EBA) published an opinion which opened the door for national regulators to delay the enforcement date for SCA. While this was done with the good intention to give Europe’s online economy more time to prepare, it has actually confused a complicated situation even more by increasing the level of fragmentation across the continent in a way that could be a real threat to the Digital Single Market.

The decision of individual national regulators to interpret the EBA guidance differently and set their own roadmaps and enforcement deadlines of varying lengths is disturbing. This adds an extra layer of complexity to an already complex piece of regulation, and it could have deeply damaging consequences for online commerce. 

Cross-border payments, after all, have become the norm and many online businesses sell internationally, many of them from day one. If there are multiple rules by multiple actors in multiple countries, it will mean a disintegration of the European idea of a Digital Single Market, at least from an economic perspective. 

A joint e-commerce and payments industry statement this month recognised the threat of fragmentation, arguing mismatched enforcement would result in “inconsistent user experiences and confusion to consumers.”

Concerns about this threat are not unfounded. We’re already seeing a disparity in how regulators have taken on the EBA guidance. Some regulators took a liberal view on whether to push back enforcement. France, for instance, mentioned a three-year, no-strings-attached delay project. 

Others might not take up the offer at all. Others still found a middle ground - the UK and Germany are each looking at delays of 18 months. This could mean payments in one jurisdiction needing to be doubly authenticated, and others not. We’re unlikely to get more clarity on what to expect before the September deadline. At this point, there are two conclusions to be drawn from witnessing the discussion:

On a more pragmatic level, it’s important for online businesses to be aware that while there may be a delay of enforcement by some country regulators, they should still focus on getting ready for SCA, not least because some issuing banks may decide to not take up on the delay proposal, and instead apply SCA on day one. While the exact date of enforcement might be unclear, there are solutions ready and waiting to help merchants reach compliance and still keep up their conversion rates. These solutions can help them to apply SCA exemptions where possible, and ensure two-factor authentication is only applied when necessary.

On a more general level, the ongoing debate about a delay of SCA enforcement will be a litmus test for Europe’s unified approach to regulating technology. In times of growing nationalism, the European Union offers a counter-model of cooperation and integration – but only if national regulators reach consensus about how to deal with the enforcement delay across the different member states. 

Anything else would send a harmful signal in uncertain times, and significantly weaken the Digital Single Market. What is more, as SCA does not apply to non-EU companies, it would mean a real disadvantage for European technology companies. In the interest of Europe’s online economy, let’s hope national regulators find a way to harmonize the introduction of the new rules.