This is not right at all (it's mandatory fo all banks and merchants in the EEA), although you're correct that SCA still has loopholes (like a US merchant... just trying, although a bank could just mandate 3DS to solve that).
How do you explain the example I gave where the taxi app only has to SCA me once and not upon every transaction? This is in the EU.
What I suspect is that the "mandatory" bit is by law (and the law has flexibility, which covers this taxi app scenario) but there is no technical solution to make it mandatory, thus a non-compliant merchant can still drain your account until your chargeback claim goes through.
You're right that it's not fully enforced technically. It's complicated, and I don't think that's really solvable by technology (being that this scenario is roughly equivalent to direct debiting). Banks can validate if a particular merchant has already been used by a customer and blocking them from debiting your account, but since that SCA has exceptions for recurring debiting, this is not really enforcable once the customer has authorized the merchant for any debiting.
> If you attempt an exemption and the bank returns a decline code indicating that the payment failed due to missing authentication, you’ll have to reattempt the payment with your customer but this time utilizing SCA.
