How New EU Regulations Could Impact Global Payments
Europe has long spearheaded change for much of the payments industry. From instituting tighter interchange rules to accelerating cross-border payments to implementing new customer data protections, regulators in the EU have set the pace for much of the world. The impact of these initiatives— aimed at unifying the continent and setting the stage for open banking— continues to play out, dominating concerns for that region’s issuers, acquirers, merchants, consumers and others. And like previous moves, much of what Europe is currently pursuing could make its way to the rest of the world.
“I definitely think we inspire other markets,” said Andrea Dunlop, Chairwoman of the Emerging Payments Association. “A lot of people look at what we do in the UK and Europe as a reference point. They take the lessons learned from some of the things they see here and, hopefully, refine it better for their markets.”
A Long Time Coming
For more than 20 years, EU officials have sought to unify the monetary system throughout its now-27 member countries through a series of industry-changing guidelines.
With an initiative that began in 19991 , European officials implemented the Single Euro Payments Area in 2008 to create a seamless market for cross-border payments and bank transfers in euros. As part of that effort, the first Payment Services Directive was issued with the intention of making “cross-border payments as easy, efficient and secure as ‘national’ payments within a Member State,” according to the European Commission2.
Regulators later turned their attention to the interchange fees charged to merchants. With the Interchange Fees Regulation (IFR)3 in 2015, officials pushed the industry to cap various fees for card usage and provide more transparency. Most recently, regulators extended those caps to interregional fees (applied to foreign travelers visiting Europe)—limits applied specifically to Visa and Mastercard that were voluntarily adopted by Discover®. Today, the most pressing regulatory issues for the industry in this market of more than 500 million people (including the UK) have been:
- The General Data Protection Regulation (GDPR). Implemented in 2018, GDPR, intended to deal with internet-based entities, affects “every company that uses the personal data of individuals in EU member states no matter where that personal data is acquired, processed, or used.”4 Primarily aimed at bolstering data protection and privacy, while harmonizing EU members’ data privacy laws, noncompliance brought steep financial penalties.
- The revised Payment Services Directive (PSD2). This updated directive, which took full effect in 2019, was aimed at the payments vertical, partly driven by increased fraud for online payments, the rise of new payment players, and the arrival of application programming interfaces (APIs)5. Requiring payment service providers (PSPs) to obtain a payment license from a member country, the impact of the directive is expected to increase competition and open banking by bringing non-banking institutions more fully into the payments market.
- Strong Customer Authentication (SCA), issued as part of PSD2, is arguably the most pressing and challenging aspect of PSD2. Originally slated to go into effect in 2019, it was delayed after facing pushback from the financial services industry and merchants. The recent impact of COVID-19 has further increased the pressure for delay. SCA is currently targeted for implementation in the UK in September 2021, and while the EU previously delayed it to the end of 2020, many expect an additional extension to be granted.
SCA Dominates the Landscape
By far, the SCA component of PSD2 is seen as the biggest current hurdle for merchants and the industry, affecting “every business operating on the European payments market,” according to a report from the Aite Group6.
Indeed, “Europe stands to see €57 billion in online purchase volume abandoned during the first year of SCA as a result of added friction introduced at checkout,” representing nearly 10 percent of all online sales in the EU as of 2019, according to a 451 Research report7.
Designed to increase security of online transactions, the SCA requires two of the three following methods of authentication for customer-initiated, card-not-present payments within the European Economic Area, including:
- Something the customer knows—such as a password or PIN.
- Something the customer has—including a smartphone or hardware token.
- Something the customer is—by affirming a fingerprint, facial recognition, iris scanning or behavioral biometrics8.
Although exceptions apply for certain transactions, including low-value purchases, recurring payments, or verification from the payer that the merchant is trusted, the difficulty in implementing these standards has made the industry nervous. Lower sales conversion rates, transaction declines, and the inability of some third-party processors to continue their services are just some of the potential challenges if service providers (merchants, acquirers and issuers) do not use the exemptions and are not fully prepared for SCA requirements.
“We’re reaching out to all our merchant and acquiring partners to make sure they’re fully aware of our requirements, so that customers and merchants have a seamless experience when the new liability rules kick in,” said Chris Winter, Vice President of Global Acceptance at Discover® Global Network.
One of the key methods emerging to address SCA’s requirement is the adoption of 3D Secure 2 (3DS2)9 , an updated version of 3D Secure, which is issued in various brand names, including an enhanced Discover® ProtectBuy for Diners Club International® and Discover.
Discover Global Network is encouraging its partners to move to the 3DS2 protocol as soon as possible, Winter said, especially given the potential impact on merchants throughout the EU and the more than 100 major airlines that have international service establishment agreements with the company.
“We’re reaching out to all our merchant and acquiring partners to make sure they’re fully aware of our requirements, so that customers and merchants have a seamless experience when the new liability rules kick in.” Chris Winter Vice President of Global Acceptance, Discover Global Network
For the banking sector, the challenges are equally steep. “Regarding card payment and especially e-commerce, PSD2 introduced an important paradigm shift: The decision to rely on SCA no longer belongs to merchants, but to the issuer,” said Regis Folbaum, Head of Payments & Data at La Banque Postale in Paris.
With more than 8 million cards outstanding, the bank has prepared for the change by migrating to the 3DS2 infrastructure with Discover and has worked to support its internal entities, front-line and middle-office teams and customer groups, including consumers, commercial partners, and merchants.
“The challenge for banks is to find out the right balance between a frictionless customer journey and an optimized fraud management,” Folbaum said.
A Global Impact for Years to Come
Given the impact of these recent EU moves, industry observers are keeping a close eye on the continent for hints of what might be coming to their shores.
How much these new regulations will migrate to affect the merchants and the payments industry around the world is unclear for now. But the industry has seen the introduction of IFR push the international debate of interchange even further, for example, and how GDPR affected businesses globally, even providing inspiration for a similar initiative in California10.
“It’s fair to say EU regulations have either direct implications [for] the global payment industry or influence other entities around the world,” Winter said. “Other markets look to Europe when it comes to introducing new regulations.” In fact, he said, versions of PSD2 and its push for open banking could very well be heading to Brazil, Mexico and Japan.
Still, while some of these significant challenges for the payments industry could easily go global, the potential benefits they could bring also should not be overlooked. Greater open-banking capabilities, increased convenience for consumers, and much of today’s innovation in the industry can be tied directly to the impact of EU regulatory action.
“These regulations can be painful and it’s a lot for companies—whether you’re a payments company or a merchant—to wade through,” Dunlop said. “But I think if you go into it with the right view, which is it’s about transparency, it’s about doing the right thing.”
1European Payments Council. SEPA timeline. Viewed 7th May 2020.
2 European Commission, 2018. Payment Services Directive: frequently asked questions. Viewed 5th May 2020.
3 European Commission, 2016. Antitrust: Regulation on Interchange Fees. Viewed 1st May 2020.
4 Mercator Advisory Group, 2018. General Data Protection Regulation: The European Union’s Cross-Industry Approach to Data Protection. Viewed 30th April 2020.
5 Aite Group, 2019. PSD2: Advent of the New Payments Market in Europe. Viewed 8th May 2020.
6 Aite Group, 2019. PSD2: Advent of the New Payments Market in Europe. Viewed 8th May 2020.
7 451 Research, 2019. The Impact of SCA: Shaking Up Europe’s Online Economy.Viewed 8th May 2020.
8 Aite Group, 2020. Strong Customer Authentication: Friend or Foe? Viewed 29th April 2020.
9 Emerchantpay. 3DS2 (3D Secure 2.0)—Everything you need to know. Viewed 30th June 2020.
10 TechCrunch, 2019. California’s new data privacy law brings U.S. closer to GDPR. Viewed 1st July 2020.
The information provided herein is sponsored by Discover® Global Network. It is intended for informational purposes, and is not intended as a substitute for professional advice.