SCA and its relation to corporate payments has changed a bit since we first wrote about it in 2020. In this short post, we take a quick look at today’s corporate payment environment, focusing on what trends we see occurring.
I first wrote on the topic of corporate payments more than a year ago. At that time, PSD2 deadlines had been pushed back, so it was difficult to assess the real impact of SCA and, in particular, the impact of SCA on corporate payments.
Today, even though deadlines got pushed back once again at the start of the year, many countries successfully moved ahead with implementing the required SCA regulations. Since then, we have been able to watch some interesting developments when it comes to SCA and corporate payments.
We are seeing many issuers apply the same SCA they use for small business retail banking activities as they do for their account to account payments. In particular, we noticed this happening a bit in France and in the UK. However, it's important to differentiate between corporations and small businesses.
From an end-user experience point of view, we understand why issuers want to coordinate all SCA around app-based authentication. For the most part it makes economic sense, seeing that app-based SCA is cheaper to run than using physical dongles that produce OTPs.
However, for larger businesses, the account to account payment process needs to happen behind much stronger security walls. This is why it is usually left to the NACA (National Competent Authority) for assessment.
Unlock updates, insights, and exclusive content delivered to you.
We have also noticed issuers starting to apply SCA on card payments for businesses in the same way they did for consumers’ payments. From an end-user perspective, this once again might make sense.
But why does it make sense?
Because since PSD2 does not provide a specific plan regarding corporate cards, card payments naturally fall under the SCA mandate. Aka, debit, credit, prepaid, virtual and lodged cards (used by corporations to book travels via an intermediary) will all require two-factor authentication.
However, the NACA in France - “La Banque de France” - clearly states that corporate cards can fall under Article 17 of the RTS, which exempts corporate payments from SCA. In this case, the issuer will need to present its plan and security to the NACA so it can be decided whether or not the card payment is truly exempt.