PSD2 delayed again? SCA coming in 2025!

Are you still looking forward to PSD2 implementation? I know I am, even after all the delays. However, with the current situation, PSD2 may be delayed even further. Let’s discuss it.

The second Payment Services Directive has the potential to revolutionize today’s online payment landscape, although we might have to wait just a little bit longer for this potential to be fully realized.

If you happen to be unfamiliar with what this EU directive stands for, I’ll briefly describe it.

Introduced all the way back in 2015, this directive sets out to break down the monopolies banks hold over user data, implement new services positioned between the users and the banks to increase transparency, and finally, implement Strong Customer Authentication.

What this would mean for end-users is safer, simpler financial mechanisms strengthened with multi-factor authentication systems that activate based on standardized risk assessment protocols.

To find more about PSD2 from the perspective of banks and FinTech companies or from the perspective of service providers, head to our previous blog posts.

In this post, we’ll delve deep into the reasoning behind previous delays, as well as the implications of the global pandemic on this directive that could delay it even further.

Why was it PSD2 delayed in the first place?

Originally, there were two deadlines to implement PSD2 —March 14 and September 14, 2019.

The first deadline served as a testing ground for banks’ APIs and other mechanisms for sharing user data with third-party providers. However, 41% of European banks did not meet this deadline which, in turn, meant that the “official” implementation deadline (September 14) would likely be pushed by many.

By September 14, banks should have already developed, tested, and implemented mechanisms (or APIs) to enable end-users to share their data with third parties. However, as most banks didn’t manage to meet that deadline, the European Banking Authority (EBA) allowed an 18-month extension for the implementation of Strong Customer Authentication.

Implementing the SCA protocols has been troublesome for banks, as it takes time, finances, and development resources. Many European banks still don’t comply with this protocol, resulting in not only poor safety as far as end-users are concerned, but also limitations for technological innovation that different FinTechs could bring to the table.

However, it could be said that the banks are causing their own businesses the most harm. Those that have fallen behind are risking their reputations. Moreover, they are more susceptible to cyberattacks, and with that, and the lack of safe mobile solutions, they are causing frustrations to their users and risk losing them to other more technologically aware banks. And don’t even get us started on the costs that these cyberattacks would actually incur.

Presently, the whole situation is very uncertain. The global pandemic has stopped everything in its tracks, raising the question of the effect it will have on PSD2 implementation.

What will the global pandemic mean for PSD2?

Meeting the PSD2 deadlines was already proving extremely challenging for banks. Now, in light of the global pandemic, this implementation gets that much harder.

As I mentioned above, 40% of banks are falling behind, representing a huge share of the market. Now in particular, with so many people working from home, it’s questionable how effective the development of systems as complex as SCA could be.

To add more concerns, almost all shopping has gone digital, thus creating more opportunities for cyberattacks and online fraud than ever before.

Finally, let’s not forget that these types of changes require certain investments, and we tend to tread lightly around them in the midst of a pandemic.

Is the deadline going to be delayed further? So far, the answer is no.

The EBA stands by their current deadline of December 31, 2020, although they have made it easier on stakeholders by removing the need for National Competent Authorities to report their SCA readiness by March 31, 2020. But the pressure for a delay is increasing — EPIF has called for a six-month deadline extension.

On top of that, with the increased number of online transactions in mind they have allowed increasing the limit of transactions exempted from SCA to EUR 50 and under.

Will their decision change? Possibly — but even if it does, compliance with PSD2 by implementing SCA is becoming a prerogative for staying afloat.

What you can do to help your business?

While it is understandable that banks are facing challenges implementing SCA at this time, it’s crucial that they find a way to do so. In this way, they would help their own business stay relevant and keep its reputation, save money on potential cyberattacks, and enable innovation through working with various FinTech companies.

Further delays will only make their jobs harder. Not only would they have to catch up to SCA as part of PSD2, but they would have to catch up to newer protocols, such as 3DS 2.

While similar in its risk assessment to SCA, 3DS 2 will be able to assess risk by analyzing the more contextual factors, with the aim of reducing user friction as much as possible.

And here we come to one of the pillars of both SCA and 3DS 2, and something banks need to pay attention to when making decisions on the solutions they use: user experience.

It’s true that the main point of PSD2 is security, but it’s also true that users put enormous importance on frictionless user experience. In fact, it has been predicted that once PSD 2 comes into force, the EU’s digital economy could lose €57 billion!

You can minimize any losses of your own — and earn best-UX bragging rights in the process — by implementing the authentication solutions with the least user friction.

IPification authenticates a user within milliseconds while drawing on different contextual factors including device or SIM Card information. It utilizes already-existing mobile network operator infrastructure so that no sensitive data is actually transferred, therefore heightening security to the maximum.

Most importantly, it’s functional and ready to be implemented within days.

More on our blog