UK Authorities Delay SCA Again...Again

Did you hear the one about how SCA is delayed for six months? Of course you have... Five times now. 

It would be funny if it weren’t so, well, not funny. UK retailers and their product teams have been whipsawed repeatedly by moving enforcement deadlines for the new payment regulations being ushered in by PSD2, which passed in 2015.

“These are complicated regulations, so it’s understandable that it takes time to get them right. The series of deadlines is partly the result of regulators trying to give merchants and banks adequate time to prepare while maintaining a sense of urgency,” says Michael Liberty, Signifyd co-founder and chief product officer. “That said, the uncertainty can be frustrating. Each time there is a delay, it throws development roadmaps into turmoil because every merchant is developer-constrained and has competing priorities.”

Here we are six years and five enforcement deadlines later, still wondering when the rules are actually going to be enforced. You wouldn’t blame retailers in the UK for thinking the change is never going to happen.

That, of course, would be a mistake. SCA is coming to the UK — really. The six-month breather is a precious opportunity to get it right. The alternative is losing up to 30% of conversions, according to CMS Payments Intelligence Inc. 

The truth is the UK is not ready for SCA — not merchants, not consumers, not banks. That’s why the Financial Conduct Authority (FCA) pushed enforcement back. This suggests a lack of preparation — and possibly the lack of awareness — among merchants.

Merchants aren’t worried about SCA, but consumers are

While less than 13% of UK merchants listed SCA as among their top concerns this year, nearly 47% of UK consumers said they were somewhat or very likely to give up on transactions that required the kind of customer authentication that SCA requires. 

As a further sign that retailers have not fully processed the likely effects of SCA, nearly 72% of retailers surveyed said they expected to see either no change or an increase in their conversion rate under the payments regulation. Nevermind CMS Payments’ finding that in countries where SCA is being enforced, merchants are losing 30% of their transactions. 

The reasons for the erosion in conversions under SCA are not complicated. The new regulation requires that a consumer be authenticated by two out of three of the following:

• Something the user knows (like a one-time passcode)

• Something the user has (like a mobile device)

• Something the user is (fingerprint, facial recognition, typing behavior)  

While the extra authentication steps will no doubt provide better protection from fraud, they could have unintended consequences when it comes to the customer experience a merchant provides. 

Each verification method introduces the possibility of adding friction to the buying experience, including having to move from a merchant’s site to a banking site and back to the merchant’s site. There are ways to avoid SCA in some cases through the use of exemptions and exceptions, but in other cases, SCA cannot be avoided. 

Use the six months to update your entire risk management strategy 

Retailers would also be wise to use the coming months to reassess their entire fraud-protection strategy and confirm that it is ready for the SCA era. Fraud is constantly changing and fraudsters are constantly looking for vulnerable targets to attack.

With SCA already being enforced in much of the European Economic Area, it’s likely that fraud rings will turn their attention to the UK where the extra protection of SCA is not yet in force. Merchants will want to be prepared today for more — and more innovative — attacks.

And there is nothing stopping banks that issue consumers’ credit cards from launching SCA before the spring deadline. In fact, our research indicates that major issuing banks are likely to go ahead with their SCA implementations, meaning a significant number of UK consumers’ transactions will be subject to SCA, whether the regulation is being actively enforced or not. 

For that reason alone, retailers should consider accelerating their SCA rollout to avoid the confusion their customers will experience when faced with the need to suddenly authenticate themselves on a bank’s website before being able to make a purchase on a retailer’s website. 

If you’re a merchant and you’re frustrated by the mixed messages, shifting deadlines, lack of consultation, we get it. You might be tempted to throw up your hands and ignore the whole SCA mess — to believe the enforcement when you see it.

But don’t do that. SCA enforcement is coming — no joke.