Ravelin hosted discussions at a recent series of roundtable dinners in New York, Los Angeles and San Francisco. The conversations revealed an unexpected interest in PSD2 and GDPR. On the surface this is a little surprising. We know both these regulations are firmly European in origin. Why then, so far from home were they of such interest in the US?
Global Trading and PSD2
For businesses operating internationally there are compelling reasons to be aware of both these initiatives.
Let’s look at PSD2 first. The directive requires both legs of a transaction to be in Europe. That’s to say the issuer and the acquirer both need to be in Europe for PSD2 to apply. So a US consumer buying in Europe would be exempt. Likewise, a European consumer buying from a US company with a US acquirer.
This in fact could offer an out to US businesses operating in Europe. They could route payments through to their US acquirer and so escape the purview of PSD2. In fact some businesses are considering this as a back-up. The Secure Customer Authentication (SCA) element of PSD2 implies friction in the customer journey. Many companies are keen to avoid but doing so is not without costs.
Cross-border acquiring is two to three times more expensive than local acquiring. It has its own acceptance risk too. Some issuers reject transactions as their international routing can look unusual. One study showing them 69% more likely to be rejected.
So the good news is a US company with limited European exposure can continue to route transactions through their US acquirer and will see no change. This accepts of course that the higher cost and lower acquisition rates are already priced in to their payments strategy.
A global business is likely to have both legs inside the EU for European customers and needs to be aware of the implications of the changes. This is true for any business looking to expand globally as well.
3DS 2.0 is a global protocol and coming to America
3DS 2 is a prominent element of PSD2. It is the de facto authentication protocol for the directive. It is not a European standard however. In fact it is an EMVCo protocol - as global as can be. If the attendees at our dinners were typical, many US e-commerce businesses expect to adopt 3DS2.0 in a way that not true of 3DS 1.0.
The only difference is the urgency with which it will be adopted.
The European Banking Authority has confirmed that 3DS 2.x is PSD2 compliant. SCA is mandatory on most transactions. The world is watching Europe with anticipation to see how the consumer adapts to this new way of purchasing. Thus Europe is a laboratory for US payments professionals to observe and adapt to what happens there. It should present some big lessons for smart businesses to learn.
GDPR and Privacy. Is this European initiative the new standard in privacy?
GDPR is a European regulation with global reach. GDPR covers a user of a US service who accesses that service from Europe. So even US-centred businesses need to be aware of the implication of the service.
It is easy to see this as a threat but it doesn't need to be. At the dinners we hosted there was a consensus that the best way to think about GDPR is that is a blueprint for `privacy by design’. The regulation is not perfect but it does act as a useful standard for companies. Good privacy practices should be baked in for customers and users and the world's regulators are starting to agree.
The California Privacy Act shows the direction of travel in terms of privacy compliance. While not identical it is very similar to GDPR. Companies are now faced with the difficult options of either some applying this Act only on their Californian customers. The alternative is to simply adapt that higher bar for operations across all states and globally. And it makes increasing sense.
Japan and Brazil are planning their own regulations that map to GDPR. Smart businesses need to start challenging their development teams to bake privacy in. Consumers are likely to start favouring companies that respect their data privacy and can prove that they do.
Leading US companies will use Europe’s example to get ahead of future changes
It’s a global economy. Big changes in one part of the world will always impact others. It is still too early to tell how the European changes will roll out fully. We have seen limited use of the fines in Europe so far. And PSD2 is being staggered in its rollout. However both represent a rare opportunity for US companies to observe the real world outcomes of needed changes in consumer and business behaviours as the e-commerce world evolves. In GDPR perhaps we are seeing privacy by design won out. For PSD2 we will have to wait and see.
I would like to thank all our guests across the three dinners. It’s a real privilege to be able to hear from businesses first hand about how they are adapting to the ever-changing challenges of payments and fraud. Please do join us at future events in US and Europe.