In December of 2020, we spoke to Peter Bayley, former Global Head of Ecosystem Risk Oversight and Strategy for Visa and current senior associate at Allyiz (former STRATgranat) about his insights on PSD2.
We want to share some of the Q&A here:
Let’s start with an easy question: Is PSD2 a good thing?
The legislation is sensible and will lead to improvements across the payments system, but the European Banking Authority’s guidance notes could have been clearer. The lack of clarity has led to a lot of industry angst and discussion. That said, if you take the vision of what the security piece of PSD2 will do, we’ll look back at this in 2-3 years and realize it revolutionized the way we do business (quality, approval rates, etc.). Right now, we are in the middle of it and we can’t see the forest for the trees: we have a lot of people concerned about the change, effort, etc., all in a short period of time. It will be in a good place medium term. The part that might be a problem long term is that we now have legislation about how authentication must occur for payments. This means that we are reliant on the regulators updating regulation as technology brings us new authentication options. I can see this restricting innovation.
As 3DS2.x becomes the industry standard for sharing data, how do different players think about it?
You have to remember that 3DS version 1 was initially designed for dial-up modems, not the fast broadband we have today … people always forget that. When 3DSv1 went live, it was only browser, there were no mobile payments yet. The intention was to basically replicate the POS world (which was primarily mag stripe just then).
3DS2.x allows us to make use of the faster speeds and bandwidth It’s about crypto keys (which we learned were critical in delivery security in EMV Chip) and data – so much of everything we do today is about data, and using that data to build frictionless experiences, as well as the capability to do ‘uplift’ or step-up the authentication if needed.
So, what should 3DS2.x provide as it matures?
3DS2.x gives the issuer a new authentication decision. The issue with an authentication though, is that you’re giving the issuer the opportunity to say ‘no’. All other things being equal, you would normally expect an authentication to increase decline rates rather than reduce decline rates. However, the intention behind 3DS2 was to provide far wider data elements to the issuer. The issuer can therefore enhance their profiling based on this data to deliver better results. This leads to some interesting considerations and outcomes:
- There is a long debate about who has the best data: the merchant or the issuer. The reality is that they both have different data, and both sets can be powerful. The merchant may have a vast history with the consumer, or this might be the first time the customer has touched this merchant. Issuers will know their customers age, sex, credit line, the type of items they normally spend money on, but won’t actually know exactly what the customer is buying. These very different data sets are complementary and will work very well together to tell a far richer risk story.
- In most markets a handful of major issuers account for the majority of cardholders, so figures that state x% of issuers aren’t PSD2 ready, often doesn’t tell the full story: The big issuers have the scale that promotes sophistication and investment in really high-quality systems. They will have really strong detection, data quality, profiling, contact systems, etc. The additional 3DS2 data creates the opportunity for them to uplift their capability to perform risk detection. With the PSD2 requiring issuers to support Strong Customer Authentication (SCA), this creates a really powerful combination.
- Data consistency is likely to be an issue: As 3DS2 comes online and the extra data becomes available, issuers have to figure out which fields they’ll always get, which optional fields they can rely on, and which of these are actually predictive. This is no small ask particularly given that what’s predictive for a digital service, may not be predictive in other verticals. This will take time and there will be fumbles as data is understood, profiled and properly prioritized for use within models. As such, merchants should expect time for performance to fully optimize.
- Exemptions can be offered to a merchant only where the acquirer offers them: Merchants sometimes assume that they have a right to offer exemptions. This isn’t really true. It is the acquirer’s call and responsibility to determine whether they offer an exemption to a merchant. If an acquirer doesn’t offer exemptions, a merchant will want to understand why and may wish to look at whether a different acquirer can offer something. This is likely to become a key discussion point during merchant and acquirer commercial discussions
- The issuer is responsible for the fraud performance, regardless of the acquirer/ merchant and whether there’s an exemption or not. This means: an issuer will need to report to the regulator their fraud performance going forwards and will need to explain their performance particularly where SCA didn’t occur. TRA targets will be closely monitored, so a merchant with higher fraud will be noticed. An issuer is likely to look at each acquirer and merchant individually. If the fraud performance isn’t up to the standard they expect, they will uplift more to SCA or decline more volume.
For the first time ever, the acquirer and merchant are genuinely interested in the fraud rate across their portfolio rather than the chargeback and compliance status. PSD2 means, a large merchant with low-risk business could be very interesting to an acquirer, as they look to optimize their portfolio fraud performance in regulatory returns whilst optimizing exemption offerings.
How do acquirers look at PSD2?
Acquirers can look at PSD2 as a complex implementation with exemptions which they just need to deploy as simply as possibly, or as the start of a strategic change to the whole payments industry.
Those who see it as a strategic change, are likely to find themselves in a far better position to build complex capability and offer merchants a range of tailored solutions. But you have to wonder how deep into their portfolio they will go to offer solutions to merchants. Their approach to the major merchants who understand risk and will likely build the complexity necessary to optimize their business outcomes will be very different to the smaller merchants who are likely to see far more limited exemption options.
How do you see the machine learning/AI models helping in this space?
There’s a high level of investment in machine learning models (statistical models, complex models, to neural nets and beyond):
If you took the top 100 issuers in Europe, they will pretty much all have complex statistical models and most will tend to be rigorous in how they operate them, albeit the balance between customer experience and risk will differ. As scale reduces however, there tends to be increased reliance on third party risk and processing relationships and simpler implementations which will be less good at reacting to some of the more sophisticated scenarios. That said, issuer risk functions embraced statistical modeling early, and for many this is well embedded.
Historically, acquirers have focused more on compliance than fraud rates. If they weren’t in breach of a compliance program, they considered things pretty much OK. There are a handful of exceptions here, but this was the situation for the majority. PSD2 has changed that.
PSD2 and the exemptions system demand fraud performance targets are met and any reasonably-sized acquirer with a diverse portfolio won’t have a choice – they’ll need to play in this machine learning space. Without it, they lose the ability to control their portfolio of merchants and restricts their offerings and thus their commercial business.
If I was an acquirer again and wanted to appeal to a broad range of merchants, I would be keen to offer exemptions. This would mean I’d have to have the capability to offer fraud prevention capabilities to merchants and closely track their performance to make sure the outcomes were being achieved. As I have said previously, fraud rates (high or low) are suddenly becoming a very commercial factor.
What would be your recommendations for acquirers?
- Get all the data together in one place (this is a prerequisite to do any good statistical analysis). As a minimum you will need transaction/authorization data, 3DS data, authentication data, chargeback data and fraud data.
- Run all the data and analyze your whole portfolio and how it is trending so you can track change and be attuned to change.
- Look at each issuer BIN in the portfolio to know how each is performing, so you can start to determine the right strategies. You might have a merchant who is very credible with the solution they’re providing, but a certain issuer might decline that regardless of track record if they don’t see a 3DS transaction.
What is your advice to the whole ecosystem (issuers, acquirers, merchants…)?
- “Play nicely. Have good intentions. None of you asked for PSD2, but it is here, and you all have a common goal. You all want every genuine transaction approved as cleanly and quickly as possible. If something isn’t working, talk to each other.”
- The EBA has been good enough to offer exemptions and you have a chance to show that they allow flexibility, reduced friction and Don’t abuse these, you need to show they work, or they will disappear.
- As a final reminder to merchants. Don’t forget the number one reason for a decline is that the customer hasn’t got the funds. Too many remote merchants assume a decline is always fraud. Don’t assume. Follow the data, and then act on it.
Learn more: Read our Issuer Study on PSD2 readiness.