The saying “desperate times call for desperate measures” is believed to have been coined by the ancient Greek physician Hippocrates. The proverb calls for the use of extreme methods to fight acute diseases, but what exactly are appropriate measures when dealing with the fallout from a global pandemic?
In the unusual circumstances of the COVID crisis, European financial regulators find themselves tasked with mitigating the impact it has on consumers, merchants and banks. They’re hearing the call to change course with respect to the PSD2 enforcement deadline – and to postpone it once again. This is why the recent April 30 announcement made by the FCA, the UK financial services regulator, delaying the implementation of strong customer authentication (SCA) by six months, to September 2021, came as no surprise.
The announcement added confusion to an already complex situation. Even before the latest FCA announcement, requirements and enforcement schedules varied across markets, and as long as the EBA sticks to December 2020 as the EU-wide PSD2 enforcement deadline, the geographical component of this regulation becomes even more acute. What determines the requirements when the country of issuer and the acquirer abide by different enforcement dates?
Unless such a EU-wide enforcement delay is announced, in the run-up to 1 January 2021 it is expected that card issuers, transaction processors and payment service providers will gradually introduce SCA enforcement. In some markets, such as in The Netherlands, official plans have already been made public, setting the way for earlier activation as part of a phased implementation, in what is referred to as a ‘soft decline’ approach.
Until now, the main reasons given for declining online card payments included insufficient funds and invalid card details or expired cards; soon to be added to this list will be lack of customer authentication. Following a soft-decline the merchant can resubmit the payment to the issuer, with SCA, but this would draw out the payment process, and could lead to frustrated customers and even drop off.
So, what does this mean for merchants?
To avoid falling behind or having transactions unnecessarily declined as a result of ill-preparedness, merchants could proactively take these key steps:
Keep a firm grasp on fraud rates.
The outbreak of COVID-19 has put a massive strain on merchants’ fraud review operations, with many fraud and customer service teams being forced to work from home. To add insult to injury, official law agencies report that sophisticated fraudsters are already attempting to capitalize on the chaos.
This means that now, more than ever, merchants should focus on fraud prevention while keeping high approval rates a priority. In a PSD2 context, merchants will benefit from their acquirers pushing for maximum exemptions, as it will allow them to deliver a fast, frictionless payments experience. For this to happen, fraud rates will need to be kept as low as possible.
Fraud prevention is an ongoing effort, so for merchants to make sure that they are well positioned to capitalize on SCA exemptions once PSD2 enforcement takes full effect, the time to act is now.
Actively engage with your acquirers to test for exemptions.
By now, forward-looking merchants have already set out their plans for a robust and holistic exemption strategy. This includes: mapping the available exemptions that merchants want to apply and agreeing with their PSP on who initiates those; redesigning operational flows to capture transactions that failed SCA; and eventually, coordinating the testing for those exemptions, well before the enforcement deadline. Merchants who will be able to maximize exemptions will gain a competitive advantage.
This approach also comes across in the FCA latest announcement, which clearly indicated that despite the revised UK PSD2 deadline, the FCA expects firms to continue with the necessary preparations, such as robust end-to-end testing.
Integrate 3DS – but activate it only on a reactive basis when required.
While all merchants must be able to perform SCA when issuers request authentication, it is best not to send orders to SCA if it’s not required, because of the added friction.
Tracking payment authorization rates across issuing banks can help reveal when a specific issuer has started applying SCA, allowing merchants to react appropriately and enable 3DS only when required, making sure the negative impact on customer experience (and revenue) is minimized.
The UK is perhaps the first country extending the delay of the PSD2 enforcement due to the COVID crisis, but without a coordinated, European-wide delay to the enforcement deadline, UK merchants, as well EU merchants, will need to make sure they are PSD2 compliant by end of 2020, if they wish to keep their EU sales intact, a critical element in any post-COVID growth strategy.