Europe braces for the £57bn impact of Strong Customer Authentication
June 17 2019
by Jordan McKee
With Strong Customer Authentication (SCA) set to take effect in Europe on September 14, it's no surprise that our nearly two dozen meetings at Money20/20 Europe centered on the extensive market impact of this regulation. Stakeholders we met with expressed mounting concerns over ecosystem readiness, lingering regulatory ambiguities and the potentially devastating impact on the customer experience. According to a 451 Research study commissioned by Stripe and released at the event, Europe stands to see £57bn in online purchase volume abandoned during the first year of SCA as a result of added friction introduced at checkout.
The 451 Take
While SCA's objective of reducing fraud is commendable, the impact it will have on European businesses is deeply concerning. Increased customer friction, steep declines in conversion rates and in some cases outright transaction declines by card issuers are all real possibilities for merchants that neglect to comply with SCA and optimize their checkout flow by September 14. Money20/20 Europe confirmed that these concerns are widely held by payments industry participants. Among the biggest concerns discussed at the show were the lack of ecosystem readiness and the mounting challenge of migrating hundreds of thousands of merchants to a fundamentally new checkout flow in just three months' time. The silver lining for those in the payments industry is that SCA significantly increases both the complexity and importance of payments, elevating their strategic value to merchants and creating new opportunities for differentiation. This was evidenced at Money20/20 by the wide range of exemption engines and exemption management products that were showcased by vendors in attendance.
Merchant readiness for SCA remains a major concern
A consistent message we heard throughout Money20/20 was the lack of merchant readiness for SCA. As shown in Figure 1 below, just two in five online businesses that are aware of SCA feel prepared to address it and only one in two believe they will be SCA-compliant prior to September. This is a major red flag given that as the regulation stands today, issuing banks will be required to decline the transactions of non-complaint merchants starting on September 14. Broadly speaking, merchants appear to be severely underestimating the holistic impact SCA will have on their businesses.
Our conversations at the show also confirmed our belief that there will be a clear divide between European merchants that are compliant with SCA and those that have optimized for SCA. Several payment processors we spoke with shared their concern that many merchants are simply looking to 'check the box' on SCA compliance without taking into account the impact that added checkout friction will have on their customer experience and ultimately conversion rates. Compliance-centric merchants are at risk of losing sales volume to experience-centric merchants that optimize for SCA by effectively applying exemptions and tightly integrating authentication into their checkout flow.
Applying exemptions will be a powerful way to minimize customer impact of SCA and nearly every company we met with had a product to address this. Worldpay unveiled its 'Exemption Engine for Strong Customer Authentication' at the show, which in conjunction with its 3DS Flex product aims to reduce the complexity and cost of exemption management for merchants. A variety of anti-fraud providers we met with, such as Forter and Risk, touted their ability to manage the application of SCA and exemptions across multiple acquirers through their platforms. In a private roundtable session for analysts, Mastercard spoke at length about its ability to help facilitate exemptions for issuers through products like Decision Intelligence and NuDetect.
Figure 1: Readiness for SCA remains concerningly low
Issuer inconsistencies add to SCA's complexity
With estimates of the number of card issuers in Europe ranging from 5,000 to 6,000, achieving consistent implementation of SCA will be impossible to accomplish. Part of the challenge is that financial institutions across Europe are at varying points in their readiness for SCA. A small minority are ready to support 3D Secure 2 (3DS2) today, while others are unlikely to be ready by September 14. Some will be live with support for a handful of exemptions by the time SCA goes into effect, while others appear to be delaying exemption support until Q4 and beyond. We've also heard that certain issuers are unlikely to support specific exemptions outright, such as the Trusted Beneficiary exemption, due to security concerns and management complexities. The highly nuanced nature of SCA support across European issuers creates an incredibly complex landscape for merchants and their payment partners to navigate.
The high fragmentation on the issuer side increases the need for payment providers to have strong issuer relations to increase their chances at exemption success. This is especially important given it is ultimately the decision of each card issuer to support and accept an exemption. To address this challenge, Stripe has been working with top card issuers in Europe to understand their general approach to SCA and the specific exemptions they will be supporting come September. After SCA's implementation, Stripe will then begin building intelligence around exemption support across the long tail of card issuers by analyzing transaction data. This intelligence in turn will be used to optimize its exemption engine to deliver the highest exemption acceptance rates possible across each individual card issuer. Stripe has also uniquely positioned itself by acquiring authentication startup Touchtech Payments in April to expand its role on the issuer side of SCA.
Rumors of a phased SCA rollout run rampant
The impending start date of SCA against the backdrop of low market readiness and unaddressed regulatory ambiguities (e.g., the ability to use SMS one-time passcodes for two-factor authentication, liability outside of 3DS2) had many attendees discussing the potential for a phased rollout. Companies we met with that had been in touch with the Financial Conduct Authority (FCA) and European Commission in recent weeks noted that both groups are fully aware of the low level of preparedness among all market participants. While it remains unclear what, if anything, will be done to address this, continuing to push forward with a hard deadline of September 14 seems increasingly risky for Europe's economy because it would jeopardize massive volumes of transactions.
Several companies we spoke with posited that one outcome is likely to be some country-level flexibility on SCA vs. blanket enforcement of the regulation. Others noted this would only add to the complexity of SCA given the cross-border nature of digital commerce in Europe and suggested that an EU-wide delay of SCA is required. UK Finance, a trade association for the UK financial services and banking sector, has already proposed the concept of a managed rollout that would see hard enforcement and active supervision of SCA pushed out until March 14, 2021. Despite the potential for a loosened enforcement or a phased rollout, 451 Research's guidance is to continue moving forward with the anticipation that SCA will be enforced beginning on September14.