The Paypers interviewed Dan Holmes, Principal Banking Solutions Consultant at LexisNexis Risk Solutions, to find out more about Strong Customer Authentication as a core part of PSD2
What are the new Strong Customer Authentication (SCA) rules? What are some exemptions for two-factor authentication to the SCA and how do these rules impact the payment ecosystem?
With the objective of increasing online security, SCA requires that electronic payments and other online activities are performed with two-factor authentication (2FA). 2FA itself (the security process in which the user provides two different factors to verify themselves) is not a new concept. However, SCA now mandates prevention of common compromises, like a password phish, as a password on its own would no longer be enough to complete an online payment. This does not mean every payment is subject to SCA; there are exemptions to 2FA for scenarios including balance checking, checking transactions and statements from within the last 90 days, payments to trusted beneficiaries, recurring transactions, such as standing orders, and low-value transactions.
SCA presents a wholesale change for which many merchants, PSPs, and issuers are simply not ready. Many overlooked the complexities involved in preparing for it and it was argued that rushed implementations to hit the original deadline of 14 September 2019 would result in market and consumer disruption. This resulted in a deadline extension of up to 18 months for several markets from the EEA. Even with the delay, many of those impacted will go live with a proposition that in the beginning focuses on compliance and will later develop into something that becomes more user-friendly.
What can banks do to balance the heightened security measures of SCA without impeding the customer experience (UX)?
The paradigm of security vs customer experience is not a new one. Looking back, the introduction of faster payments in the UKcombined with the increased accessibility of online banking brought about significantly heightened risk for banks in 2008. Banks reacted differently. Some introduced a secure front door concept with initiatives like card and reader, which made it apparent to the customer that security was at the forefront of the banks priorities, whilst others went with a passive fraud and authentication approach meaning the perception of security was less obvious, but meant that a slicker UX was maintained. This led to the development of different cultures at each bank in terms of what their customer base perceived and expected. Interestingly now, with the introduction of SCA, banks that currently have a slicker UX are being presented with the biggest challenge.
Banks are conducting thorough customer research to determine what the most appropriate way to authenticate and ensure compliance should be. This shows us that customers do expect their experience with their bank to be fluid and near-frictionless, yet compliant through authentication methods such as ‘device binding,’ which allows users to transact on trusted devices without repetitive authentication.
Research also suggests that banks who offer a range of authentication options to meet differing customer expectations, particularly those who possess a broader range of customer demographics, are more likely to succeed.
What are the challenges for banks implementing SCA-compliant systems and processes?
The first challenge that comes to mind is the level of transformational change required for banks to become compliant. This transformation has internal impacts in terms of infrastructure and architecture, and external bearings, such as managing customer messaging and expectations. Whilst banks are accustomed to regular infrastructure changes, the bigger challenge is ensuring the messaging to customers is timely and relevant, balancing the requirements of informing the banks that change is coming and why it is important for them to engage.
The good news is that banks have turned to proactive customer communication prior to regulation deadlines to warn customers of the forthcoming changes; the methods of communication are coming in all shapes and sizes and range from SMS to radio adverts. This in itself gives a sense of the challenge we are seeing unfold.
How do PSD2 and the Regulatory Technical Standards (RTS) align with the current LexisNexis Risk Solutions capabilities and future roadmap?
Current LexisNexis Risk Solutions products supporting SCA compliance include device-binding authentication for both web and mobile, as well as risk-based transaction monitoring to satisfy the Transaction Risk Assessment (TRA) requirement of the RTS. We are seeing strong adoption of both of these solutions in particular in the UK banking sector.
Our SCA capabilities include:
What are the benefits of risk-based authentication (RBA) and what is the LexisNexis Risk Solutions approach to this?
RBA and transaction monitoring allow banks to work within their own risk appetite when it comes to balancing fraud detection and customer experience. By using risk-based transaction motioning under TRA, banks have the opportunity to create 2FA exemption on transactions up to a value of EUR 500 (depending on their fraud rates). Internal data shows that around 80% of payments fall under this threshold, so the opportunity for exemption is huge. TRA mandates that a thorough set of fraud checks are invoked on each transaction, such as looking for device abnormalities and the presence of malware, or identifying unusual spending patterns at an individual user level. Fortunately, some banks are already applying such checks and will therefore be able to weave TRA directly into their SCA strategies. However, for other banks not already operating in such a way, TRA becomes an essential proposition in the quest to improve user experiences. The challenge will be to quickly develop and employ cost-effective and evolving capabilities to carry out TRA checks that also meet evolving compliance requirements. In response, banks are turning to experienced fraud solutions experts like LexisNexis Risk Solutions for support and partnership to ensure SCA is introduced in the most appropriate and strategic way.
The interview was first published in the Open Banking Report 2019, which offers insightful editorials, interviews and expert analyses that paint an exhaustive picture of the Open Banking regulatory shifts and the important extents in which this impact the industry.
About Dan Holmes
About LexisNexis Risk Solutions
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now