Uber has admitted that fraud controls set to be introduced by EU authorities will mean its vaunted “invisible” payment model may have to be scrapped, as industry giants question the wisdom of the reforms.
Regulatory technical standards drafted by the European Banking Authority (EBA) are inching closer to final approval at EU level.
The standards, which are part of the revised Payment Services Directive (PSD2), introduce a requirement to apply strong authentication on all remote payments of more than €30, unless fraud rates are demonstrably kept below specific thresholds.
Brian Crist, chief payments counsel at Uber, said its current model is “clearly a critical driver of the company’s success”.
Speaking at Wednesday’s Money20/20 conference in Copenhagen, Crist said: “How will it co-exist [with the standards]?
“I think, both personally and from Uber’s broader policy view, it’s going to be very hard.
“We don’t think that, frankly, the government or the regulator should be setting how fraud is managed in this manner.”
Users of the service are currently charged in-app without being given a prompt for authentication or any information on the transaction amount.
But the PSD2 standards — currently expected to take effect across the EU in early 2019 — also demand that the specific value of a remote payment is communicated to the consumer before it can be approved.
“I think it’s going to be a worse experience and we’re not happy that the legislation is there,” he said.
“We want to see if there’s anything that can be done to make it seamless.”
Gabriel McGloin, vice president for global e-commerce client development at processing behemoth First Data, questioned the wisdom of European legislators.
He said that first-party fraud, where a consumer makes a purchase online then reports the transaction to their bank as fraud, is a significant problem in the e-commerce sector.
He said: “Do they understand the problems here? Do they understand the nature of this fraud?”
“For those of us who partner with the largest e-commerce companies on the planet, merchants who drive so much of the volume of chargebacks and fraud, we know it’s not third-party fraud,” said Gabriel McGloin, First Data. “It’s first-party fraud, and securing customer authentication will not resolve that.”
McGloin said that a more influential decision in that respect was the decision by Visa to change its scheme rules around fraud claims made by consumers.
Arrangements dubbed the “friendly fraud code” have been scrapped, he said, making first-party fraud near impossible to carry out on a repeated basis.
“Now it’s going to mean that the bank is going to have to say to the customer: you’re calling this fraud, you had nothing to do with this transaction and nothing to do with this merchant; we are cancelling and reissuing your card,” he said.
“It should separate a lot of the friendly fraud from the fraud, I would hope.”
According to Crist, Uber already takes a generous approach to consumer fraud as part of a trade-off between security and user experience.
“If someone calls up — and please don’t all do this now — to challenge a transaction, we tend to apply a very lenient lens to that, because we understand that fraud does exist,” he said.
“Consumers have mechanisms today to challenge transactions.”
Monica Monaco, managing director of lobby group TrustEUAffairs, said the European Commission will eventually review the impact of the standards.
If the EBA’s standards have proven to drive down e-commerce by making the process too onerous for consumers, that review provides an opportunity to rework the offending regulations.
She cited the example of the first EU directive on e-money, which imposed tough capital requirements on new entrants.
That prompted PayPal to seek a full banking licence in Luxembourg rather than an e-money licence, and the subsequent directive slashed those requirements by around two-thirds.
But in the case of the PSD2 technical standards, Monaco said the “problem is how much time it will need” for a similar process to happen.
“They have to assess this 18 months after implementation, and then the legislative process is at least another 18 months — so we have a three-year observation period,” she said.
The EBA has received European Commission feedback on its final draft standards, and having held discussions at senior levels is now expected to issue its counter-response in the coming days.
Changes appear unlikely, however, as the commission opted not to adjust the exemptions based on fraud rates.
That would mean further exemptions could only come about through further EBA amendments and commission approval, or through political opposition from the European Parliament and Council.