Strong customer authentication rules will provide a litmus test for Europe


The internet has clearly changed this equation for the better. Borderless and unparalleled in scale, it promises to allow virtually any business, no matter how small, to reach customers anywhere.

And, in our part of the world, the European Union’s strategy toward a Digital Single Market has added a political dimension to the technological progress.

Harmonising regulation, and making cross-border activity easier for both businesses and consumers, have played a big role in enabling a new generation of founders to build and grow pan-European online firms.

Irish companies such as Pointy, Glofox and Teamwork, along with other European companies like Typeform from Spain, Doctolib from France, Catawiki from the Netherlands and Voi from Sweden, have expanded across the continent in a short space of time, providing success stories not only of European innovation, but also of European integration.

However, a very significant disruption to European online commerce is coming. Strong customer authentication (SCA) will be one of the biggest regulatory changes to the world of payments in decades, both for merchants and consumers. Much has been said about its potential impact.

While it will help to tackle fraud online, which threatens to undermine trust in the internet economy, the financial impact of the new rules could be as high as €57bn across the continent, due to resulting friction in checkout processes.

At Stripe, we are doing all we can to prepare merchants of all sizes, and ensure they are ready by the September 14 deadline.

We’ve talked to customers, regulators and policymakers, updated our product suite, produced guides, held events and notified users of what to expect. Many of our peers and other industry groups have been doing the same.

But the reality is that a few weeks before SCA comes into play, a large part of the industry is not ready for this seismic shift.

Reflecting this, on June 21, the European Banking Authority (EBA) published an opinion which opened the door for national regulators to delay the enforcement date for SCA.

While this was to give Europe’s online economy more time to prepare, it has potentially increased the level of national fragmentation across the continent.

Individual national regulators interpreting the EBA guidance differently, and setting their own roadmaps and enforcement deadlines of varying lengths, adds an extra layer of complexity to an already complex piece of regulation – and could have unintended consequences for online commerce.

Cross-border payments, after all, have become the norm. A study commissioned by Stripe earlier this year found that 70pc of online businesses sell internationally, many of them from day one. If there are multiple rules from multiple actors in multiple countries, it will disrupt the progress of the Digital Single Market. A joint e-commerce and payments industry statement last month recognised the threat of fragmentation, arguing mismatched enforcement would result in “inconsistent user experiences and confusion to consumers”.

Concerns are not unfounded. We’re already seeing a disparity in how regulators have taken on the EBA guidance.

Some have announced an intention to push back enforcement. France, for instance, mentioned a three-year delay. The Central Bank of Ireland did not specify exactly how much extra time businesses would be given, though it is expected that the delay will be similar to the 18 months put forth by Germany and the UK.

This could mean that payments in one jurisdiction will need to go through two-factor authentication, but others won’t.

We’re unlikely to get much more clarity on what to expect before the September deadline, and, at this point, there are two conclusions that can be drawn.

On a pragmatic level, it’s important for online businesses to be aware that while enforcement by some regulators may be delayed, they should still focus on getting ready for SCA – not least because some issuing banks may decide not to adhere to the proposals for delay, and instead apply it on day one. Other issuing banks may not be able to benefit from delay proposals at all. While the exact date of enforcement might be unclear, there are technical solutions in the market to help merchants reach compliance and still maintain their conversion rates. These solutions can help them apply SCA exemptions where possible, and ensure two-factor authentication only applies when necessary.

On a more general level, the ongoing debate about a delay of SCA enforcement is something of a litmus test for Europe’s unified approach to regulating technology.

In times of growing nationalism, the EU offers a counter-model of co-operation and integration – but only if national regulators reach consensus on common approaches, including on the timing of enforcement across different member states.

Anything else would cause fragmentation in the Digital Single Market. What is more, as SCA does not apply to non-EU companies, it could mean a real disadvantage for European technology firms.

In the interest of Europe’s online economy, let’s hope national regulators find a way to harmonise the introduction of the new rules.

Irishman Michael Cocoman is Stripe’s overall head of regulatory, based in San Francisco

Sunday Indo Business

Leave a Reply