SCA arrives this weekend. Open banking's hard deadline is here.
This Saturday, September 14, the strong customer authentication requirements of PSD2's regulatory technical standards become mandatory. Two years of preparation, delegated acts, and opinion papers come down to a simple operational question: when the rule switches on, does the payment still go through?
The honest industry answer is "mostly," which is why several national regulators, following the EBA's June opinion, have granted supervised migration periods for e-commerce. The deadline is real; its enforcement will be phased. Nobody should read that as a reprieve so much as a stay of execution with reporting obligations attached.
What the deadline actually tests
SCA looks like an authentication feature, but for most institutions the hard part has been everything around it: the exemption logic that decides which transactions may skip the challenge, the APIs through which third-party providers reach accounts, and the monitoring that proves fraud rates justify the exemptions claimed. These are integration and evidence problems, and they will outlast the migration period.
- Exemption decisions need to be recorded per transaction; the supervisor's questions will come months later.
- Third-party access through your PSD2 APIs is now a regulated channel with service-level expectations, not a side door.
- Failure modes matter: a declined challenge should degrade to a recoverable journey, not an abandoned basket.
The friction is a business number
It is tempting to treat SCA purely as a compliance obligation, but the institutions paying closest attention understand it as a conversion problem wearing a regulatory costume. Every unnecessary authentication challenge is a moment where a customer can hesitate, fumble, or abandon, and at scale those moments are measured in real lost revenue. The exemption logic is not merely a box to satisfy the supervisor; it is the dial that determines how much friction your customers actually feel.
This is why the exemption engine deserves the engineering care of a product feature rather than a compliance afterthought. Claiming a low-value or transaction-risk-analysis exemption correctly keeps a good customer moving; claiming it wrongly either annoys them with a needless challenge or exposes the institution to fraud it must answer for. Doing that well, transaction by transaction, in real time, and keeping the evidence to justify each decision later, is the genuine technical achievement hiding behind the word "authentication."
The institutions comfortable this weekend are the ones who treated SCA as an API program with a security feature, not a security feature with some APIs.
The direction is set
Whatever happens on Saturday, the direction is set: payments in Europe now run through governed, observable, regulated interfaces. The migration periods will expire, the exemptions will be scrutinized, and the interfaces that carry third-party access will be held to the same standard as any other regulated channel. The deadline is best understood as the moment that stopped being optional, the point after which "our payment APIs are an internal detail" ceased to be a defensible position in front of a supervisor.