Recent and ongoing European regulatory changes will have a significant impact on the global payments landscape. Mohamed Dabo reports
Payment companies can benefit from proactively tracking and monitoring regulatory developments in Europe and understanding their independent and combined impact on the business.
Europe has long spearheaded change for much of the payments industry. From instituting tighter interchange rules to accelerating cross-border payments to implementing new customer data protections, regulators in the EU have set the pace for much of the world.
The impact of these initiatives— aimed at unifying the continent and setting the stage for open banking— continues to play out, dominating concerns for that region’s issuers, acquirers, merchants, consumers and others.
And like previous moves, much of what Europe is currently pursuing could make its way to the rest of the world.
“I definitely think we inspire other markets,” said Andrea Dunlop, Chairwoman of the Emerging Payments Association. “A lot of people look at what we do in the UK and Europe as a reference point.
They take the lessons learned from some of the things they see here and, hopefully, refine it better for their markets.”
Making cross-border payments easy, efficient, and secure
Payment Services Directive was issued with the intention of making cross-border payments as easy
For more than 20 years, EU officials have sought to unify the monetary system throughout its now-27 member countries through a series of industry-changing guidelines.
With an initiative that began in 1999, European officials implemented the Single Euro Payments Area in 2008 to create a seamless market for cross-border payments and bank transfers in euros.
As part of that effort, the first Payment Services Directive was issued with the intention of making “cross-border payments as easy, efficient and secure as ‘national’ payments within a Member State,” according to the European Commission.
Regulators later turned their attention to the interchange fees charged to merchants. With the Interchange Fees Regulation (IFR) in 2015, officials pushed the industry to cap various fees for card usage and provide more transparency.
Most recently, regulators extended those caps to interregional fees (applied to foreign travellers visiting Europe)—limits applied specifically to Visa and Mastercard that were voluntarily adopted by Discover.
Today, the most pressing regulatory issues for the industry in this market of more than 500 million people (including the UK) have been:
- The General Data Protection Regulation (GDPR). Implemented in 2018, GDPR, intended to deal with internet-based entities, affects “every company that uses the personal data of individuals in EU member states no matter where that personal data is acquired, processed, or used.” Primarily aimed at bolstering data protection and privacy, while harmonizing EU members’ data privacy laws, noncompliance brought steep financial penalties.
- The revised Payment Services Directive (PSD2). This updated directive, which took full effect in 2019, was aimed at the payments vertical, partly driven by increased fraud for online payments, the rise of new payment players, and the arrival of application programming interfaces (APIs). Requiring payment service providers (PSPs) to obtain a payment license from a member country, the impact of the directive is expected to increase competition and open banking by bringing non-banking institutions more fully into the payments market.
- Strong Customer Authentication (SCA), issued as part of PSD2, is arguably the most pressing and challenging aspect of PSD2. Originally slated to go into effect in 2019, it was delayed after facing pushback from the financial services industry and merchants. The recent impact of COVID-19 has further increased the pressure for delay. SCA is currently targeted for implementation in the UK in September 2021, and while the EU previously delayed it to the end of 2020, many expect an additional extension to be granted.
SCA Dominates the Landscape
By far, the SCA component of PSD2 is seen as the biggest current hurdle for merchants and the industry, affecting “every business operating on the European payments market,” according to a report from the Aite Group.
Indeed, “Europe stands to see €57 billion in online purchase volume abandoned during the first year of SCA as a result of added friction introduced at checkout,” representing nearly 10 percent of all online sales in the EU as of 2019, according to a 451 Research report.
Designed to increase security of online transactions, the SCA requires two of the three following methods of authentication for customer-initiated, card-not-present payments within the European Economic Area, including:
- Something the customer knows—such as a password or PIN.
- Something the customer has—including a smartphone or hardware token.
- Something the customer is—by affirming a fingerprint, facial recognition, iris scanning or behavioural biometrics.
Some potential challenges
Although exceptions apply for certain transactions, including low-value purchases, recurring payments, or verification from the payer that the merchant is trusted, the difficulty in implementing these standards has made the industry nervous.
Lower sales conversion rates, transaction declines, and the inability of some third-party processors to continue their services are just some of the potential challenges if service providers (merchants, acquirers, and issuers) do not use the exemptions and are not fully prepared for SCA requirements.
“We’re reaching out to all our merchant and acquiring partners to make sure they’re fully aware of our requirements, so that customers and merchants have a seamless experience when the new liability rules kick in,” said Chris Winter, Vice President of Global Acceptance at Discover Global Network.
One of the key methods emerging to address SCA’s requirement is the adoption of 3D Secure 2 (3DS2), an updated version of 3D Secure, which is issued in various brand names, including an enhanced Discover ProtectBuy for Diners Club International and Discover.
Discover Global Network is encouraging its partners to move to the 3DS2 protocol as soon as possible, Winter said, especially given the potential impact on merchants throughout the EU and the more than 100 major airlines that have international service establishment agreements with the company.
“We’re reaching out to all our merchant and acquiring partners to make sure they’re fully aware of our requirements, so that customers and merchants have a seamless experience when the new liability rules kick in.” Chris Winter Vice President of Global Acceptance, Discover Global Network
For the banking sector, the challenges are equally steep. “Regarding card payment and especially e-commerce, PSD2 introduced an important paradigm shift: The decision to rely on SCA no longer belongs to merchants, but to the issuer,” said Regis Folbaum, Head of Payments & Data at La Banque Postale in Paris.
With more than 8 million cards outstanding, the bank has prepared for the change by migrating to the 3DS2 infrastructure with Discover and has worked to support its internal entities, front-line and middle-office teams and customer groups, including consumers, commercial partners, and merchants.
“The challenge for banks is to find out the right balance between a frictionless customer journey and an optimized fraud management,” Folbaum said.
Ecommerce payment regulations
The European Union has implemented new requirements for authenticating online payments under the Payments Services Directive (PSD2).
These measures will bring significant implications for businesses involved in ecommerce, selling products or services online. Providers of merchant services will also need to ensure that their online payment gateways are compatible with the PSD2 regulations.
The PSD2 directive calls for stronger customer authentication in order to minimize the risk of fraudulent online transactions.
These measures will change the way online payments are processed, ensuring online payment gateways more secure for over 300 million European consumers.
Compliance with the Payment Services Directive means that anyone completing a payment in the EU over the value of €30 must provide 2 factor authentications.
This applies to all online payment transactions in the EU regardless of whether the payee is within the EU at the time of purchase.
Typically, 2-factor authentication requires the customer to supply a one-time code received via a text, email, or phone call to authenticate their payment.
The 2-factor authentication will make the customer payment experience more complex by adding another layer of security to online purchases. Companies should be aware of the customer experience implementing this requirement. If the process proves too cumbersome it could result in fewer purchases and decreased online sales.
A Global Impact for Years to Come
Given the impact of these recent EU moves, industry observers are keeping a close eye on the continent for hints of what might be coming to their shores.
How much these new regulations will migrate to affect the merchants and the payments industry around the world is unclear for now.
But the industry has seen the introduction of IFR push the international debate of interchange even further, for example, and how GDPR affected businesses globally, even providing inspiration for a similar initiative in California.
“It’s fair to say EU regulations have either direct implications [for] the global payment industry or influence other entities around the world,” Winter said. “Other markets look to Europe when it comes to introducing new regulations.”
In fact, he said, versions of PSD2 and its push for open banking could very well be heading to Brazil, Mexico, and Japan.
Still, while some of these significant challenges for the payments industry could easily go global, the potential benefits they could bring also should not be overlooked.
Greater open-banking capabilities, increased convenience for consumers, and much of today’s innovation in the industry can be tied directly to the impact of EU regulatory action.
“These regulations can be painful and it’s a lot for companies—whether you’re a payments company or a merchant—to wade through,” Dunlop said. “But I think if you go into it with the right view, which is it’s about transparency, it’s about doing the right thing.”