The effects of coronavirus on SCA implementation

Changes in consumer behaviour have been hitting the ecommerce industry hard during the global pandemic. Following the difficult conditions, the Financial Conduct Authority (FCA) – the conduct regulator for financial services in the UK – has announced that the industry in the UK has an extension of six months to implement Strong Customer Authentication (SCA).

This announcement comes on the back of members of the European Payment Institutions Federation (EPIF) – which includes payment service providers such as Mastercard and Visa – signing a joint letter to the European Banking Authority (EBA) requesting a similar extension of six months on SCA across the industry due to COVID-19.

SCA, a requirement of the Second Payment Services Directive (PSD2), has been introduced in Europe in order to better authenticate users when using online banking services or paying online. It requires multi-factor authentication to occur when conducting an electronic payment, including at least two of the following: possession, knowledge, and inherence. In other words, something the customer has, such as a mobile phone, something they know, such as a password or PIN, and something they are, such as a fingerprint, or behavioural biometrics.

This increases the security of paying or banking online, which is because, as the different factors of authentication must be independent from one another, the breach of one will not compromise the reliability of the others.

The general shift of the consumer towards online services means it is now more crucial than ever to accurately authenticate the identity of users during both transactions and online banking sessions. This is why multi-factor authentication has become hugely important; by layering methods of authentication on top of one another, it is possible to reduce both the amount of online fraud and the cost of processing fraudulent transactions.

Reduced capacity for SCA implementation

It is clear that COVID-19 has reduced industry capacity to implement SCA. Companies have been operating with reduced workforces and efforts have, of course, been focused instead on business continuity, supporting consumers through the pandemic whilst maintaining their own economic stability. However, while it is undeniably helpful for organisations to have the threat of further economic repercussions for not meeting PSD2’s criteria removed from the equation at this time, from a payments and online banking fraud perspective, any delay is extremely worrying.

The pandemic itself has led to an unprecedented spike in fraud, particularly phishing attacks that attempt to exploit the crisis for financial gain. For example, during this period Microsoft Teams has seen its highest increase in users due to a shift to online and remote working. Unfortunately, the increase in business has made them a lucrative target in the eyes of fraudsters, and a recent fraud attack saw fraudsters impersonating a Microsoft Teams notification in order to steal Microsoft Office 365 login details.

It’s the same story across the online banking and ecommerce industries. This is just one illustration of why multi-factor authentication is badly needed, and perhaps why the EBA is so keen to stick to its original deadline for implementation.

What can banks do to mitigate these issues?

Whatever happens with the timeline of implementation of SCA, banks in the UK and the rest of Europe need to start implementing a strategy that can face both of these issues head on. 

This is particularly prevalent for banks in the UK that have signed up for the Contingent Reimbursement Model, whereby a ‘no-blame’ policy means the banks themselves are liable for any losses customers incur as a result of fraud.

This strategy must contain an anti-fraud solution that incorporates behavioural biometrics because deploying behavioural biometrics in this way means a factor of authentication (something the user is) can occur constantly and invisibly during an entire online banking session or a transaction. This increases security levels whilst promoting a frictionless user experience. In fact, deploying behavioural biometrics in this way improves the customer’s overall experience, by removing the need for them to do anything additional to logging in or providing card details.

Devising a plan of action now will enable banks to fight fraud, protect consumers in what is potentially a stressful financial period for them whilst also instilling a confidence in their services. It will also ensure they are ready for regulation deadlines, whenever they come around.

About Tim Ayling

Tim is buguroo’s Vice President EMEA, having joined the company in 2019, bringing twenty years of experience in the cybersecurity and anti-fraud industry. He has spent time in the cyber-security practice of KPMG, as well as serving as EMEA Director of Fraud & Risk Intelligence at RSA Security, and most recently as the Global Head of Fraud Prevention Solutions at Kasperky Labs.

About buguroo

Headquartered in Madrid, Spain, and with offices in the US, UK, Mexico, Brazil, Poland, and Colombia, buguroo helps protect more than 50 million banking customers across the world from online fraud. The company’s flagship anti-fraud solution, bugFraud, utilises deep learning technology combined with behavioural biometrics, device assessment, and advanced malware detection to create a unique profile of each customer, enabling banks to continuously check that the user is who they claim to be and is not being manipulated by fraudsters.