Fears of online fraud are the top barrier to paying via the internet or mobile device
PayPal recently completed a consumer study of over 15,000 people from 15 major markets around the globe to understand their attitudes and needs towards payments. The most striking were the similarities from the UK to Brazil to Japan. Without a doubt, the largest percentage (62 percent) recognised the need to improve security with fears of online fraud being the top barrier to paying via the internet or mobile device. Hot on the heels of security barriers, consumers were also worried about international purchases arriving (45 percent of all respondents) and annoyed about having to register before they buy (39 percent of all respondents). The hassle of remembering multiple passwords and personal identification number (PIN) codes was also cited as reason to not shop through the internet or a mobile device. These challenges are not specific to, however, also impact e-commerce in the Single Euro Payments Area (). So from a consumer point of view we are still far away from a single, secure and simple European internet and mobile marketplace.
For the past 12 years the European Payments Council () worked hard to define and deliver on SEPA. Getting financial institutions of 34 countries (the 28 European Union (EU) member states, four members of the European Free Trade Association (EFTA) Iceland, Liechtenstein, Norway, Switzerland, plus Monaco and San Marino) to change their long standing payment processes into common, harmonised payment products is a Herculean task. However, on 1 August 20141 the first step towards an integrated euro payments market was done; the migration to SEPA of the euro denominated countries. Financial institutions and the business sector - from small and midsize firms to large corporates – have finalised the migration. That’s a tremendous achievement. An achievement many doubted would ever happen. But we are not yet done. The motor is running, however, it stutters, causing payments to go missing or be delayed, refused or returned, creating barriers to a successful European electronic marketplace.
Making ‘cross border’ payments as easy as domestic payments was one of the goals of SEPA. However, there are still some banks or countries which prevent making a payment into another SEPA country as seamless as a local payment. In some countries, for example, the payment to a non-local International Bank Account Number (IBAN) entity can only be initiated if the user explicitly and sometimes even in written form instructs his/her bank to allow for payments to a non-local account. For PayPal, as one of the largest internet payment service providers () and for our millions of individual buyers and sellers in the SEPA zone this continued lack of a seamless, consistent cross-border experience is certainly a disappointment and something we are committed to help support the European banking community in improving.
How to deal with direct debit authorisations in a digital world?
One major obstacle to a harmonised and simplified SEPA revolves around mandates for SEPA Direct Debits (SDDs). To be exact, how to deal with direct debit authorisations in a digital world? Many times this question is only looked at from a cross-border perspective. However, even on a domestic basis the topic of establishing a ‘legally valid’ mandate in the online space is proofing to be a challenge.
Before a creditor (biller) can collect a direct debit from a payer, the payer has to authorise the creditor to do so, i.e. ‘sign’ a mandate.
Pre-SEPA, in many countries the mandate had to be presented by the payer to the payer’s bank. The payer’s bank would check if a mandate is in place before processing a direct debit. In many of those countries the ability of the payer to return a direct debit was limited. In the SEPA world, the mandate stays with the creditor. In case a payer doesn’t agree with the debit he has eight weeks to return the transaction without providing any reason for the return. In case the payer wants to return a transaction after eight weeks, his bank can only do so if the creditor cannot provide a ‘proper’ mandate.
What can or should a bank accept as a proof of the authorisation of a direct debit if the mandate was established online?
We are observing diverse behaviours when it comes to the adoption of SDD. Some banks block their customers’ accounts for direct debits unless the account owner explicitly instructs the bank to process SDDs. Others ignore the SDD prescribed process and continue to insist on the presentation of a paper mandate before processing the transaction. All this in the name of safeguarding the customer.
But is this really in the interest of European consumers? Is it really desirable for the customer to undertake extra, in most cases manual steps, to enable their bank account for SDDs? Our research just released clearly shows that the process of pre-registering before being able to pay was one of the primary barriers to not using the most efficient means of buying and selling, which is through electronic and mobile commerce. Should an SDD not be part of a general product feature of a current account? Why is it that financial institutions think they need to establish an extra layer of security for SDDs even though their customers have eight weeks to return a transaction? Is this not like wearing a belt and suspenders at the same time?
If all of the above does not sound questionable then let’s have a look at the digital world.
According to Eurostat, the official statistics board of the EU, in 2012, 75 percent of the respondents between 16 and 74 in the EU28 stated that they had used the internet in the past 12 months. 60 percent of which indicated that they had shopped online in the same period.
According to eMarketer’s latest forecast, worldwide business-to-consumer (B2C) e-commerce sales will increase by 20.1 percent this year to reach 1.500 trillion US dollars; one primary driver being the rapidly expanding mobile user base.
Admittedly, there are various ways to pay for an online purchase: cash in advance, cash after delivery, credit card, debit card but also direct debits. Direct debits are prevalent in countries where the credit card penetration is low and debit cards are not online enabled. For those consumers the bank account, i.e. a direct debit, is the only way to pay for an online purchase. While credit cards and in some countries also the debit card evolved from a point of sale only payment method to an online payment method, the bank account or direct debit did not.
The EPC worked hard to harmonise the various direct debit models and processes, but it has so far missed the opportunity to elevate a paper based product into today’s online world. Only at the very end of the harmonisation process was a rule included in the SDD Rulebook which called for a mandate established in the digital world to be signed with a qualified electronic signature. Alternatively, a mandate can be authorised by following the ‘eMandate’ process as described in Annex 7 of the Rulebook. The process described in Annex 7 of the SDD Core Rulebook basically describes a process where the payer authorises a mandate by being re-routed from the merchant’s web-site to his online banking application. After logging in to his bank account, he agrees to the mandate by providing some form of authorisation of the transaction like a paper/e-/ or m-transaction authorisation number (TAN).
As outlined above, a debtor’s bank can return a direct debit after the eight weeks ‘no question asked’ return period if the creditor cannot provide a ‘proper’ mandate. Whether or not a mandate is a proper mandate is the ultimate decision of the payer’s bank.
In the paper world, the debtor’s bank can base its decision on the signature captured on the paper mandate. What can or should a bank accept as a proof for the authorisation of a direct debit if the mandate was established online?
The solutions for the establishment of an electronic mandate as described in the SDD Rulebook would indeed provide the debtor’s bank with the desired ability to approve or decline unauthorised direct debits. The usage of qualified electronic signatures, however; does not exist and the process of authorising a mandate through an online banking application is a) not even close to being a widely acceptable solution as the online banking penetration in many countries is still low and b) the user experience is simply too complex for a fast-moving, mobile based retailing environment.
2013 statistics from Statista show that of those European consumers using the internet about 48 percent of them use online banking. Looking at the online banking penetration on a country level, statistics show that online banking penetration of internet users in France is 56 percent, in Germany, the stronghold for direct debit usage, is 48 percent, in Spain 33 percent, in Italy 31 percent and in Portugal only 21 percent. If in those countries a mandate for online transactions can only be established through usage of an online banking application, up to 80 percent or even more of internet users will be excluded from paying with their bank account – often the only way they can pay.
From a user experience perspective, being re-routed from a merchant’s web-site is a substandard, slow and complicated experience, leading to drop offs of up to 50 percent. While such low conversion rates are not acceptable for merchants, such a cumbersome process is also not acceptable for consumers who are expecting a frictionless purchase experience. In addition, with the rise of mobile, which includes mobile phones but also tablets, a solution which re-routes the user to an online banking application where the usage of a paper/e-/ or m-Tan is needed to authorise a mandate, is not acceptable, because the usage of the same tool for receiving the m-TAN and instructing the transaction is not allowed or because the tablet application does not support online banking.
There are other solutions being developed in the market; most of them, however, based on a re-routing concept to online banking applications and only usable domestically. Others are based on the provision of mobile numbers effectively confirming a user’s access to a mobile phone rather than a bank account.
So what is the solution then?
The EPC – in its revised SDD Rulebooks to take effect in November 2015 - deleted the need of a qualified electronic signature to authorise a direct debit, implementing a change they had already communicated earlier. On 1 October 2013, the EPC published a clarification letter (see ‘related links’ below), which highlights that the signature methods as described in section 4.1 of the SDD Core and B2B Rulebooks are not exhaustive. SDD scheme participants, (i.e. that have formally adhered to the SDD Schemes), may consider allowing continued usage of other legally binding methods of signature including those that were used under the local legacy scheme rules.
At the same time, the successor of the SEPA Council, the Euro Retails Payments Board (), has established a working group with the mandate to identify and address issues representing barriers to the emergence of a pan-European integrated market for electronic mandate services used for SDD. The ERPB, chaired by the European Central Bank (ECB), will “help foster the development of an integrated, innovative and competitive market for retail payments in euro in the EU”. ERPB members represent the demand and supply sides of the payments market. (The EPC is a member of the ERPB.) EU national central banks also participate in the ERPB. The European Commission acts as an observer. (For detailed information, refer to the ‘related links’ below and the EPC Newsletter article, entitled ‘Learn More About Work Items Related to SEPA Credit Transfer and SEPA Direct Debit Addressed by the New Euro Retail Payments Board (ERPB) Chaired by the European Central Bank’ included in the ‘related articles in this edition’ below.) We welcome the desire to create a harmonised, but simple and fast, solution to address the authorisation of direct debits.
We do not know what the results of the working group will be. We hope that current realities – from existing or non-existing infrastructures to consumer demands – and the need for a risk based approach will be considered and lead to a consumer friendly solution.
Consumers fear of the complexity involved in securing e- and m-commerce payments with multiple PINs, passcodes and procedures
Not unrelated to the challenge of how to authorise a direct debit in a traceable but user friendly manner are the other two pain points for consumers in the electronic marketplace: the genuine consumer fear of fraud on the one hand, and the complexity involved in securing e- and m-commerce payments with multiple PINs, passcodes and procedures.
The ECB’s desire to create a series of recommendations to the industry for the security of internet and mobile payments is a goal PayPal strongly supports with the aim of ensuring that payments are safe. But we do believe that minimum standards and levels of security should be defined and applied to providers (based on a risk assessment), rather than any sort of proscriptive ‘one size fits all’ technical solution or solutions. To tap the full potential brought by e-commerce’s rapid expansion, payment providers should be encouraged to innovate especially with the proliferation of mobile technology. With the ever growing ‘marketplace in the cloud’, with global reach, the risk is that we create a ‘fortress Europe’ stifling commerce and innovation. New solutions like hosted card emulation (HCE), which creates a minimum layer of standardisation for authenticating a payment card for e- and m-commerce transactions, for example, while leaving the bank or PSP with the ability to innovate and still authenticate with any number of devices seems to be the right direction.
It’s important for the success of the payments business to keep it good and simple while ensuring adequate levels of security. An email address or phone number, an amount, and the money is off! Behind the scenes, the best and ever evolving security technologies and customer service are available. That’s why it is important that we continue to sustain innovation, harmonise the industry security standards and consumer protection regulations on the one hand, while balancing this with truly open standards and a level playing field that encourages people to enter the market.
Katja Lehr is Director EU Core Payments Management at PayPal.
Statista: Anteil der Internetnutzer, die Online-Banking nutzen in den EU-Ländern im Jahr 2013 (this graph in German language identifies the share of internet users who use online banking in the EU countries in 2013)
EPC Blog (15 April 2014): PSD2 – The New Article 67, (‘Refunds for Payment Transactions Initiated By or Through a Payee’), Proposed by the European Commission Risks Undermining Consumer’s Unconditional Refund Right for Direct Debits Included with the SEPA Direct Debit Core Scheme
European Central Bank Website: Governance (includes detailed information on the Euro Retail Payments Board (ERPB) and related documentation)
European Central Bank: Recommendations for the Security of Mobile Payments. Draft Document for Public Consultation (developed by the European Forum on the Security of Retail Payments)
European Central Bank Recommendations for the Security of Internet Payments (developed by the European Forum on the Security of Retail Payments)
EPC Website: SEPA at a Glance – the Infographic (this infographic provides an overview of the actors involved in the SEPA process at the European level and their interaction)
Related articles in this issue:
SCT and SDD Rulebooks: Modifications to the Rulebooks to Take Effect in November 2015 and November 2016, Respectively. Based on feedback received during the 2014 public consultation on changes to the rulebooks, the EPC resolved to update the release schedule applicable to the next rulebooks generations
Learn More About Work Items Related to SEPA Credit Transfer and SEPA Direct Debit Addressed by the New Euro Retail Payments Board (ERPB) Chaired by the European Central Bank. The ERPB represents the demand and supply sides of the payments market with participation of national central banks
Next Step to Create the Digital Single Market: EU Lawmakers Adopt the New Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market. European Union authorities seek to enhance trust in electronic transactions
Tensions in Cyberspace: Competing Priorities and Legislative Initiatives in the Online Payments World. Will the EU legal framework aimed at ensuring secure online payments amount to a series of harmonious provisions, or result in an uneasy compromise?
Related articles in previous issues:
Evolution and Oversight of the SCT and SDD Schemes: the Role of the European Commission and of the European Central Bank. The SEPA payment schemes in the legal and regulatory context (EPC Newsletter, Issue 23, July 2014)
PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Consumers Making Internet Payments. This Means: No Sharing of Any Personalised Security Credentials with Third Parties. Update on legislative process leading to the adoption of the revised Payment Services Directive (EPC Newsletter, Issue 23, July 2014)
Join the Debate on the Further Evolution of the SCT and SDD Schemes: Less Flexibility, More Harmonisation? An overview of the options, variations, exceptions and exemptions possible in SEPA today (EPC Newsletter, Issue 22, April 2014)
Next Generation SCT and SDD Rulebooks: Three-Month Public Consultation Starts on 19 May 2014. All stakeholders are invited to provide feedback on possible modifications to the SCT and SDD Rulebooks (EPC Newsletter, Issue 22, April 2014)
From Theory to Practice and What Comes Next? Challenges and Opportunities After More than a Decade of SEPA in the Making. A commentary: “Like all major new economic initiatives, SEPA needs time to find its feet and achieve all it set out to accomplish.” (EPC Newsletter, Issue 22, April 2014)
The Concept of an Open Standard Interface for Controlled Access to Payment Services (CAPS). A commentary: “Access to accounts – why banks should embrace an open future.” (EPC Newsletter, Issue 21, January 2014)
Electrabel GDF Suez: “We Are Delighted to Offer Our Customers SEPA Direct Debit Services!” The biggest Belgian biller completes migration to SEPA Direct Debit (SDD) in December 2011 and boosts the national SDD migration rate to 19 percent in that month (EPC Newsletter, Issue 17, January 2013)
EPC Newsletter: Articles Published in the Section ‘Opinion and Editorial’
1 In February 2012, the European co-legislators, i.e. the European Parliament and the Council of the European Union (EU), adopted the 'Regulation (EU) No 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No 924/2009', which defines 1 February 2014 as the deadline in the euro area for compliance with the core provisions of this Regulation. To avoid difficulties for non-compliant market participants, in February 2014, the European Commission, the European Parliament and EU governments agreed to “give an extra transition period of six months” during which payments which differed from the SEPA format could still be accepted in the euro area after 1 February 2014.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website Terms and Conditions.