This article was orginally published in The Paypers, which you can read here.
Like most of the payments industry we have been keeping a close eye on the fast-approaching PSD2 regulations and are working to determine the best way to support our clients, partners and fellow travellers through the upcoming changes.
We believe this means excellence in transaction risk analysis, the ability to exempt all relevant transactions, and the elegant support of SCA for those that cannot be exempted. Here’s how we think this will play out.
PSD2 is coming and bringing Secure Customer Authentication with it
Although PSD2 is primarily a directive aimed at opening up banking and access to accounts, the impact that consumers will likely experience most initially is a significant increase in friction during the purchase journey. This is because PSD2 has pushed for SCA on every electronic transaction.
The Regulatory Technical Standards (RTS) for PSD2 were released in late February 2018. It is without question that we will see more SCA in the consumer world than we do today. Although the European Banking Authority (EBA) have rowed back from an initial position which would have seen it in on almost all transactions, it would be sensible to work from the assumption there will be SCA on many more transactions and prepare accordingly.
Merchants will seek exemptions from SCA
Merchants need to understand how their PSPs are going to elegantly support the presentation of SCA options to their customers. This is likely especially true of those merchants not using any SCA today.
Paragraph 21 of the European Banking Authority's response to industry concerns is a good jumping off point for what we shall discuss next:
21. [...] the EBA agrees with the view expressed by these respondents that a risk-based approach, including the ability to conduct detailed transaction-risk analysis and fraud monitoring, is essential to achieve the objective under PSD2 of reducing overall fraud.
Consequently the EBA arrived at the view that, in accordance with Article 98(2)(a) PSD2, an exemption based on such an analysis should be added in a new Article 16 RTS. The RTS also reiterate the importance of risk and fraud monitoring in general as a necessary complement to the principle of SCA laid out in PSD2 as stated in a new Article 2 RTS.
Essentially the principle has been agreed that merchants and their acquirers (we’ll call them PSPs for simplicity) that have low fraud rates should be able to seek exemptions from SCA. The table of exemptions is as follows:
SCA and PSPs
Under PSD2 only an acquirer can request an exemption, therefore a PSP will be able to offer a significant competitive advantage to its merchants by exempting as many as possible of their transactions from 3DSecure (SCA for online card payments). The exemption has to be sought from and granted by the payer’s Issuing bank, who remains the ultimate arbiter in this, but the method through which to seek an exemption is well established.
PSPs and fraud detection
The stringent Transaction Risk Analysis (TRA) thresholds will shine a bright light on the fraud detection competence of PSPs.
The outlook for higher risk merchants and their PSP acquirers
Clearly there will be a high risk of merchants that will simply have every transaction pushed through SCA. It will be incumbent on those PSPs to support this SCA as well as possible to mitigate abandonment and potential failed payments. Managing high risk transactions or companies in high risk sectors is nothing new for the industry; there are specialists and that will continue to be the case.
The outlook for low to medium risk merchants and their PSP acquirers
However the 0.13% exemption threshold is a high bar for the industry dealing with low to medium risk merchants, as are the reporting and auditing requirements of the EBA. The only way that we can see these rates being achieved and the auditors satisfied is through the wholesale adoption of machine learning by the PSP industry. This is certainly not the case today where the incentives to ruthlessly manage fraud risk has perhaps not been there.
There will certainly be a competitive advantage in offering SCA-exempt fraud levels; merchants will seek out these PSPs and demand that they deliver a frictionless experience.
An even better proposition for a PSP is to bring a SCA-exempt offering to the market and use their fraud detection prowess as a true differentiator in what may become a commodified market. This might require splitting the PSP business into low and high risk entities, but however it is achieved there is the prospect of significant competitive advantage for providing excellent acceptance rates with minimal SCA.
How PSPs win this new reality
The question remains how to achieve these low rates under PSD2?
Ravelin already hits well below the threshold rates for our merchant clients. There is no question that for PSPs to do something similar will require the application of the same techniques that we use today. The good news is that Ravelin is now working with PSPs to bring this capability to their clients. Post-PSD2 the winners in payments will be those that can provide the frictionless experience that consumers demand. This means excellence in transaction risk analysis, the ability to exempt all relevant transactions, and the elegant support of SCA for those that cannot be exempted. That’s our vision. We’d love to talk to PSPs that share it.