By Anna Fedorova
SCA rules imposed under the revised Payment Services Directive (PSD2) are forcing payment service providers (PSP) to reassess their relationships with merchants based on their fraud rates.
Under the new EU-wide rules, remote card-based transactions above €30 may have to go through a two-factor authentication process, depending on the fraud rates of the acquiring bank and the issuer.
If the acquirer’s fraud rate does not exceed 0.13%, transactions up to €100 may be exempt, with this threshold rising to €250 for fraud rates of 0.06% and below, and €500 for rates under 0.01%.
“There is no doubt the consumer experience is benefited when the threshold is raised so that fewer payments are subject to authentication,” says Andrea Dunlop, CEO of merchant acquiring, Europe, at Paysafe.
“Acquirers will be heavily focused on their fraud rates and may take subsequent action to reduce them.”
This new rule is likely to create a division in the market, say some, with certain PSPs striving to work exclusively with lower risk-rate merchants to create a more frictionless experience for clients, with others focusing on higher-risk models and charging them higher transaction fees.
“We are likely to see banks and PSPs specializing in high- or low-risk merchants, and some banks may refuse to work with high-fraud merchants,” says Angie White, product marketing manager at security firm iovation.
“Some banks are also talking about breaking out into divisions, with some focusing on low risk and fraud rates, and others that focus on higher fraud rates.”
Lu Zurawski, practice lead for retail banking products at ACI Worldwide, says this is an unintended consequence of the regulation, which has created fresh uncertainties in the market.
“If these processors can only offer lower-friction services to retailers – without the need for extra authentication checks – based on the processor’s demonstrably low fraud rates across their group, it makes sense for them to restructure their group to identify low-risk-low-authentication merchants,” he says.
“It’s not an ideal market outcome, but the current regulations don’t seem to provide the same kind of wiggle-room that previously allowed processors and merchants to determine authentication arrangements – ones that suited their own bilateral understanding of the transaction risk they were undertaking.”
Peter Hewlett, partner at global management consultancy AT Kearney, warns that the additional regulatory burden comes at a bad time for retailers in the UK, given the unhealthy state of the sector.
“Anyone who is very reliant on card payments is at risk,” he says. “Given the retail sector is not in a great state at the moment, they don’t have a huge amount of money to address these problems.”
Dave Tonge, chief technology officer at UK-based personal finance management app Moneyhub Enterprise, hopes the regulation will pave the way for new models of payment services provision and improve competition in this area of the market.
“On the one hand, banks will really have to try to keep a lid on their floors and lock out access to some merchants, but there will also be more alternative providers,” he says. “It might mean some merchants lose relationships with some banks, but there will be plenty of providers willing to step in.”
He points to the surcharge ban under PSD2 that prohibits merchants from charging customers additional fees for making payments with certain methods, such as credit cards.
“This will push merchants to services like ours, as it will now be in their interest to go for lower-cost options,” says Tonge, explaining that Moneyhub can offer a payment initiation service provider-type service for a cost of between 0.1% to 1%, compared with standard card fees of 2% to 3% on payments.
He believes that rather than putting all the pressure on merchants, the new rules will finally force banks to modernize their service, saying: “Incumbent banks need to step up. There is a revenue stream that will get smaller and smaller.”
Sandeep Kumar, managing director at US-based technology consulting firm Synechron, says that instead of trying to monetize data around risk premiums relating to fraud, banks are likely to consider their new obligations under SCA a “compliance overhead needed in order to do business”.
“Rather than charging penalties to those with higher risk profiles, the issuing bank must set up a transaction risk analysis strategy for real-time risk analysis on each transaction performed to stay ahead,” he says.
“Banks could then analyse that data to encourage positive behaviour among good merchant partners, and therefore incentivize deeper relationships with merchants, showing they have done all of the correct things, like updating systems and adhering to the regulatory obligations, rather than charging them and losing the customer.”