And dark patterns run rampant. Big ‘ACCEPT’ buttons clear at the bottom, but a tiny link in a paragraph of text to get to the opt-out page. When you do find the opt-out page, it’s not always clear which way the toggle is going at first. ‘Reject all’ buttons are handy, but there are sites who won’t include them and make you toggle 100-odd tracking cookies manually.
Then you try to save the settings with opt-out, and the site attempts to bamboozle you with “You won’t get the full experience!” messages with ‘Continue’ options that take you back to the settings to opt in, and ‘Leave’ buttons that continue on to the page you actually want to view!
Or you get a tiny box across part of the website, and if you carry on browsing the site, or if you close the box with the ‘X’, you’re assumed to have opted in.
It’s madness. Even the best behaved sites work badly because when you reject all and opt out, they can’t (or choose not to) leave a cookie saving your opt-out, so every time you go back to the site on a fresh visit you have to opt out again.
I appreciate this point. My annoyance is more at the implied accusation that Monzo has over interpreted the law, or done something completely out of line of the rest of the industry. We agonised for a long time over our implementation of SCA, and we really do appreciate what a pain it ass it can be on a day-to-day basis, and worked hard to minimise that pain.
I guess it’s very difficult to appreciate how much worse it could have been, unless you were part of the process of making it better.
SCA is a big bit of law, that’s been split up into multiple sections with different deadlines. The deadline for everything was 14th September, however parts have been delayed (notably e-commerce related stuff).
Additionally older banks have technical limitations that places a hard limit of how fast they roll out changes (look for discussions of online vs offline contactless transactions). Monzo doesn’t have those limits, so we can’t use it as a crutch to extend our deployment significantly beyond the deadline.
Yes they will. Sorry about that. Lots of stuff is happening to minimise the amount of challenges you’ll see online. But you will see 3DS more often.
If it makes you feel any better, if that happened your bank would automatically be on the hook to reimburse you (by the end of the next business day). Amazon also apply much smarter fraud controls than is obvious as a casual observer.
Of course Amazon will also be subject to SCA when the e-commerce deadline arrive (starting Q1 2020). But they employ many people whose is make sure the friction is a small as possible (even going as far as to strike deals with individual banks).
5 Likes
phildawson
(Sorry, I will have to escalate this.)
183
Yes I do think Monzo have over-interpreted the law in taking offline payments into account and cutting the £135 (150 euro) down to £100. I’m not trying to hold you personally accountable for this decision.
Regarding the compliance with SCA you mentioned they are but its very clear that not a single legacy bank has added contactless limits with chip+pin to reset.
Currently the list that actually has implemented (and not just put up a webpage of information about it).
Monzo
Starling
Revout
Dozens
My point was by being fintech you are able to jump on implementing new rules far quicker than legacy banks. This means Monzo customers suffer whilst customers of legacy banks remain unaffected.
If it takes legacy banks a few years to get their act together, then biometric cards come out so its likely the legacy people won’t have to deal with this mess of having contactless transactions randomly failed.
It just makes Monzo look sloppy to the merchants like they aren’t doing contactless properly, or their customers have no money, whilst it’s just that the other banks haven’t actually implemented it.
This law has been generated in Europe where contactless and pin is a thing, and haven’t thought how it might adversely affect UK that don’t have the terminals to deal with it.
If you had terminals that actually said enter pin (when needed) after tapping that would be fine.
We have tap > transaction failed. Awkwardness as nobody knows the reason why. Start a new transaction. Insert card > enter chip+pin.
It’s worth remembering that this decision was also taking in the context of currency instability, and that wiggle room was left to prevent having to constantly change the limit. I’m unhappy with the law, but I’m much happier with an implementation where I won’t have to potentially track limits changing as currencies shift.
They still have to, though. It’s all very well saying “My [legacy bank] doesn’t enforce these annoying restrictions”, but what you’re missing is the massive ‘YET’.
Worth restating this, I think:
It’s unfair to say that fintech are 'jumping" on anything. They’re probably moving as slowly and carefully as they can, but unlike legacy banks they can’t make up excuses for missing the deadline. It’s a bit unfair then, to characterise them as being overly keen to enforce an annoying law.
6 Likes
phildawson
(Sorry, I will have to escalate this.)
185
They don’t need to account for wiggle room for currency fluctuations though. They are required to re-calculate at set times where the currency conversion is “locked in” again for the next period. They aren’t trying to guess pound to euro might be five quid more or less, so take a fiver off the converted amount or anything like that. It’s what it is at that specific point in time.
It’s all ‘yet’, a banks not going to go a hard no we aren’t going to do it - that would be business suicide. However it’s on their terms of when it gets done and not the FCAs 14th September 2019. Im suggesting it might actually take them so long (years) to get round to it that biometric cards are a thing which makes this irrelevant.
Turn this on it’s head by saying customers are protected against fraud
2 Likes
phildawson
(Sorry, I will have to escalate this.)
187
Only they were always protected against fraud.
This is for the banks.
Well this is actually because someone thought they had a good idea and unfortunately stuck their hand up in a meeting. And it got approved without actually thinking how it would affect the UK with their payment terminals and created a solution to a problem that didn’t exist. Same goes for the other half of SCA about confirming your identity more often after you’ve logged in. If you’ve already got past thumb or face id then you deserve to have my money.
Hi guys, great thread - probably the best on the subject on the internet right now!
It seems to me that phildawson and co have nailed the main problem which is neither the intent of law itself nor the bank implementations, but rather the fact that the UK doesnt have contactless and PIN, which makes the whole idea broken.
This has been mentioned a few times so far, but the question Im left with is WHY the UK doesnt or cant have contactless and PIN? Could someone please explain the reasons for this, and it would be great if any banking insiders could speculate on whether there are any moves to change this, especially in light of the problems it creates with SCA?
These are REAL customers experiencing contactless declines and seeking clarification on it. Do you have any factual evidence to the contrary?
As I pointed out earlier, for a number of spending patterns, it’s unlikely folk would even get a declined message very regularly - it’s taken me nearly 2 months to even get the notification in Monzo that my next transaction will need to be chip + pin, and I use my card at least once a day. I should’ve experienced it every week but haven’t, because on average, I’ve had a transaction over £30 within each group of 5.
It’s a complicated accident of history, this post covers some of the history:
Yes, Mastercard are changing their rules to make it possible. But it will probably still require merchants to update their terminals, which were things tend to get stuck.
I’ve had contactless decline and the girl was like “hmm, try doing it the old fashioned way putting it in and doing it with your pin…” (For a split second as she was talking I was expecting her to hand me a biro)
People will get used to it, and shopkeepers and cashiers will get used to it quicker than their customers and guide you through it, and once you’re informed about the possibility of it you know what to do when it happens. And everyone on here is now in that category.
And its not THAT much of a ball ache is it really in the scheme of things?
4 Likes
phildawson
(Sorry, I will have to escalate this.)
193
If you look at the Tweet content and dates I don’t think these are real customers having SCA related issues.
The Barclays/Lloyds tweet is just someone enquirying about it on the 15/16 September of when it will come into play and getting a generic copying the speil from the info page.
I am a customer of Lloyds so happy to physically test this. I’ve asked on their chat to give me an official statement too when it’s coming into play or if it is already and what the limit is.
The HSBC is inconclusive it’s actually SCA that caused that person’s decline. I think we would be seeing tweets in the thousands with people complaining (at least for a short period whilst people adjust to knowing what’s happening and why) when it is actually implemented not just one guy.
I’m just trying to establish clear evidence that it is actually implemented. We have another Monzo customers in the forums with legacies that could try putting through more than £135 on the card via contactless payments and seeing if they get a declined.
I’m confused about what’s happening here. There is a law - it might be a good law or a bad law, but it’s, erm, The Law - which Monzo has implemented in good faith and (in my view) elegantly. The argument that other banks may (or may not) be acting outside the law is hardly compelling, in my view.
Now I’m absolutely down for debating the legislation and its merits (or otherwise), but perhaps in a dedicated thread? And if we want to continue to benefit from direct discussion with Monzo experts, perhaps we should think about how we interact with them and how welcome we make them feel?
This is ultimately my issue at the heart of SCA. The Law was envisioned when contactless in the UK was in a somewhat infant state (vs today at least) and without the likes of mobile payment providers - so I don’t think adequately represents how consumers use cards and contactless in 2019.
The fact that Banks are the ones held liable for fraud to me says the Banks have no incentive to make SCA better or easier for the consumer, as obviously the primary purpose of this specific bit of legislation is reduce fraud, and therefore banks liabilities. I’m sure Banks in general played a strong part in the design of these regulations.
From my own experience, I find now that my card declines for SCA way more often than any previous reason for it declining. Not necessarily high frequency, but still a greater than before.
As a result I’ve basically switched to primarily using Apple Pay as default, as it just tips it over into being more convenient.
From a Monzo implementation point of view - I do wish there way to differentiate notification types - over the years I’ve become used to the “phone vibrating in my pocket before the card machine says approved” factor of Monzo. Not sure what’s possible but if there was one buzz for approved / two for declined it would lead to a more clear experience?
Actually what has been discussed several times is that monzo are taking a Q&A as law when in fact it is nothing of the sort. If ‘you can’t reset it any other way’ was the intended behaviour it would have been in the law itself.
In this instance Revolut are putting their customers’ UX first. Well done them.
1 Like
phildawson
(Sorry, I will have to escalate this.)
198
What we (well me) are talking about is a few things.
Monzo jumped on £100 (and reserving £30 for offline transactions). Imho they have over interpreted the spec in taking offline into consideration and not gone with £135 like Starling and other fintechs. It takes an already low amount (imo) and reduces it unnecessarily further.
No legacy bank has met the 14 September deadline to my knowledge and are now working to the 14 March 2020 deadline. Or failing that deadline the 14th March 2021 deadline before the FCA said they will kick off (or extend it again if not enough banks have done it).
By the fintechs jumping on implementing it on time they have started impacting and inconveniencing customers before any other banks have got round to it. By the time 2021 comes we might actually have biometric cards that act the same as phones so potentially legacy bank customers may never be affected by the limits.
There was a bit about Revolut having a tap to reset the limit in app which of course Monzo could champion, but Monzo (or Monzo staff) have mentioned they are worried about having their banking license taken away if they did this, and Revolut can afford to be a bit more reckless being an e-money and be a bit of a rebel in pushing the spec.
Theres also talk about how the UK if affected more by this because we don’t have contactless and pin here. Not much we can do about it now.
So we get tap > payment decline > know idea why could be any reason “Do you have enough money? Can you try another card?” > cancel that > start a new transaction using chip and pin where the card needs to be inserted.
They get tap > “payment needs pin” > types pin to confirm.
Because the spec is in Euros it means that the limit (current 150 euros) needs to be converted into the currency of the account so they aren’t working out how much £ is Euro all the time. It’s recalculated roughly what 150 is worth and locked in at set specific times. So as an example Starlings is £135. FCA don’t care about this or leaving wiggle room just thats “in the spirit” of the spec.
Theres also talk of why they though it was a good idea to implement in 2019 when we’ve had contactless working fine for the best part of a decade and customers have always had fraud protection and been covered. It does diddly squat to help with a huge impact on the customer and merchants imo. Again not much we can do about it now, other than use Google Pay/Apple Pay which isn’t affected by this.
There is also the other side of SCA which is about confirming identity more often, which means having your app randomly ask you to enter pin. This feels again unnecessary to me. If you’ve stolen my phone and have stolen my thumbprints or can bypass with faking my face and have my pin, and I haven’t alerted Monzo that my phones be stolen and changed my pin within about two months of it being stolen, and the fraud dept having spotted something odd, then yes they can have my money.
@alawrence I’ve got evidence this morning through the SCA team that Lloyds 100% has not implemented SCA but are trying to do it by the new extension of 14 March 2020 but might not happen, worse case before the March 2021 date. They currently have no defined limit of what that will be when it comes into play. (I was also told I can do 30 contactless transactions in the same day which wasn’t what I had asked)
I see its like waking up and having someone immediately stand on your foot every single day. For the first 100 times you might be “what the hell, I’ve just woken up why are you standing on my foot?” after the 1000 time this happens it might start to become the new normal and not be such a “ball ache”.
My point is they shouldn’t be stepping on your foot in the first place.
I’ve picked on this use of language before, and I’m going to pick on it again. It’s unfair and inaccurate to say fintechs have ‘jumped on’ implementation. It implies they made the choice to implement it early instead of delaying, which absolutely isn’t so.
Legacy banks have being using their complicated legacy stacks and antiquated systems as an excuse for missing the deadlines. Fintechs do not have this excuse, and can’t use it as a reason to delay implementation.
9 Likes
phildawson
(Sorry, I will have to escalate this.)
200
You can read that line “jumping on implementing it” as “implemented on time”, as apposed to missing the deadline like all other banks (apart from about Monzo/Starling banks and 3 e-money “banks”).
I’m not saying they should have purposely missed. I’m simply commenting that a consequence of being punctual is that Monzo customers are affected in the period between when it was implemented and when everyone else catches up be that March 2020, 2021 or if its extended again.
Its not like the legacy banks go to the FCA "sorry we are a bit slow being legacy using older systems give us more time " because of that reason, they aren’t being asked why like they have missed doing their homework. Excuses don’t cut it and FCA wouldn’t care. The FCA knows any deadline they give they can’t be too forceful or piss off lots of banks. Even the March 2021 where they say “any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action as appropriate” is just to help push them forward in getting it done.
This makes Monzo actually look unprofessional to merchants as it looks like the Monzo are having issues with contactless payments, when contrary to this they are doing everything they should.
customers are protected against fraud 
" because of that reason, they aren’t being asked why like they have missed doing their homework. Excuses don’t cut it and FCA wouldn’t care. The FCA knows any deadline they give they can’t be too forceful or piss off lots of banks. Even the March 2021 where they say “any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action as appropriate” is just to help push them forward in getting it done.