Amon Cohen explains why new regulations on consumer payment fraud will penalise managed travel
Sitting on my desk is the annual letter in which Yeovil Town Football Club suggests I hand over several hundred pounds to renew my season ticket.
After the season the Glovers (for such is our team’s nickname) have just endured, I struggle to think why, but doubtless I shall, against all reason, sign on the dotted line again.
I will spare you the harrowing details of what watching Yeovil has been like recently, but suffice to say I expect my 18-year-old son Max, who has accompanied me to most games since infancy, to launch legal action at any time for inflicting on him a childhood of sustained cruel and unusual punishment.
Yeovil are so mediocre we are even bottom of the national hooligan league, with zero arrests and banning orders. I guess that’s because we’re Glovers, not fighters.
Rule change: the replay
The reason I mention all this is because, right now, it feels like regulators may also fail to learn from experience and sign new rules into law that could royally mess up managed travel processes.
We went through this a couple of years ago with the Interchange Fee Regulation, which has effectively put up the cost of using individual pay corporate cards – see the BBT Corporate Cards Supplement 2017 with this issue for more details.
This time the culprit is the sequel you have all been waiting or: PSD2, properly known as the revised European Payment Services Directive. For the most part PSD2 is necessary and well- planned law-making to regulate consumer payments in our changing digital age. It is intended to open the payments market to much greater competition and therefore, one hopes, innovation.
But note, I said the directive is aimed at the consumer – and that’s the catch. The draft regulatory technical standards issued by the European Banking Authority show that, once again, the very different needs and processes of the corporate market have been overlooked or misunderstood.
The problem this time is a requirement that payment transactions where the merchant and customer are not face-to-face must be verified with ‘strong customer authentication’ (SCA).
What that means is that typing in all the information on the card is not enough. Some other form of verification is needed, such as biometric identification or inputting a PIN number sent to the customer’s phone.
The retail industry complains SCA will deter online consumer sales because shoppers won’t want the hassle of an additional round of security. Perhaps. But what is indisputable is that SCA simply can’t function at a practical level for managed travel, for the simple reason that the booker and the payer are often not the same person. One example would be a travel management company consultant booking on behalf of a traveller – you can’t text a cardholder PIN code to the consultant.
Another would be a traveller booking a flight paid for with a lodge card – aka centrally billed account. The lodge card is in the company’s name, not the traveller’s, so how is SCA supposed to be applied in this case? No one has the foggiest idea.
Red flag on fraud risk
Even more galling is that, while SCA is commendably aimed at reducing fraud, levels of fraud in commercial payments, especially lodge cards, are a tiny fraction of what they are in consumer payments. ‘Sledgehammer’ and ‘nuts’ are therefore appropriate words here, the latter as an adjective as well as a noun.
Various refinements to the standards have been suggested to avoid causing serious damage to the way we book corporate travel today. One example would be only requiring SCA for businesses with fraud rates above a certain threshold. Failing that, our industry faces unpalatable options such as adding more manual processes or moving away from using cards, with a consequent loss of management information and many other benefits.
This is a battle that can be won – it is said that although the European Banking Authority is unsympathetic to the unintended consequences of SCA, the European Commission is not – but red flags need to be waved collectively and urgently right now, by the travel industry as well as by card businesses.
In fact, to quote Yeovil Town’s stirring, though rarely observed, club motto, we need to Achieve By Unity.