What's the most efficient path to SCA compliance?

The deadlines around SCA have shifted constantly. With the final rules in place, Tim Burton warns against the false economy of Transaction Risk Analysis.

SCA has been an ever-present factor over the last two years, with deadlines and guidelines changing and evolving. There has been significant pressure on businesses to ensure their compliance, pressure that is naturally increasing as the 14 March 2022 deadline draws nearer.

But the guidance on what an SCA-compliant solution actually looks like has changed over time. This far down the line, the majority of organisations will have already made serious inroads to putting their solutions in place. But what steps should they now be taking to ensure that those solutions not only deliver compliance, but also scalability, flexibility, and, importantly, value?

The SCA goalposts have moved

Businesses across the UK have not only paid close attention to the many twists and turns that SCA has encountered on its journey, but they’ve had a great deal of influence on not only its implementation date but the steps that businesses need to take to be compliant.

In June 2021, both UK Finance and the ICO strongly recommended that organisations look to behavioural biometrics as the recommended approach to SCA. However, the FCA published its final rule changes to SCA in a policy statement on 29 November 2021, which set out amendments to the Payment Services and Electronic Money approach document (UK SCA-RTS,) and the Perimeter Guidance Manual.

One of the most notable changes was that the FCA opted to broaden the range of authentication options to include factors such as traditional biometric credentials and characteristics such as spending patterns, in addition to behavioural biometrics.

For many businesses, this will have little impact on their strategies. Most forward-looking organisations will have already implemented their SCA compliance mechanisms or will be at an advanced stage in their plans.

On the other hand, there will be businesses that will be looking at the exemptions around Transaction Risk Analysis (TRA) to get through the door in terms of compliance. With the deadline fast approaching, this may seem like a solution, but it’s one where the short-term gains are offset by long-term costs.  And while TRA might get a business over the line in terms of SCA compliance, it also introduces a wide range of risks.

The shortfalls of TRA

TRA is a tool that’s available to issuers, dependent on their ability to manage fraud via risk-based requirements, and one that can be contractually outsourced to merchants. It considers a number of elements, such as payment patterns, transaction amounts, and time limits – such as when a user last authenticated – and whether beneficiaries are trusted, or transactions are recurrent.

But this approach is only as good as the available data; its accuracy tails off very quickly if a given user doesn’t have a broad and extensive transaction history. As a rules-based system, it’s not designed to deal with fraud rings and criminals who, by definition, break the rules.

As well as constantly changing their tactics faster than TRA systems can adapt, bad actors can quickly learn spending patterns and emulate them, sending the exact signals that make them look like genuine users.

Conversely, genuine users might find that non-standard (but legitimate) transactions get wrongly flagged. The entire concept of TRA is to look for fraud patterns, but the activities of bad actors can skew those patterns and push up the subsequent exemption threshold values.

That, in turn, raises the probability of false positives – a well-known source of frustration for customers, and a contributing factor to cart abandonment.

Positive identification: the way forward

TRA has its place – as a supplementary identification technology. But in a digital-first world where fraud and scams are continually escalating, relying on simply detecting fraud signals is not tenable.

It’s why multiple stakeholders, from the EBA to the FCA, have emphasised the need to step beyond the outdated and insecure authentication methods that fraudsters rely on to ply their unpleasant trade.

Technologies such as Callsign’s solution, which passively layers, threat detection, device fingerprinting, and location analysis with Callsign’s Muscle Memory Technology – our highly advanced behavioural biometrics – to provide the level of security that organisations need to stay ahead not only of the criminals but the competition.

With UX at the heart of the solution, Callsign is unique in that it focuses on positive identification rather than simply trying to detect fraud signals; a passive identification approach that reduces friction in the user journey and avoids the costs and frustrations caused by false positives – whilst still able to work alongside conventional authenticators and fall back to them where needed.

That’s an approach that’s not only more effective and secure but also more cost-effective. A UK bank that switched to Callsign saw fewer false acceptances, a reduction in SMS OTPs by 65%, and an overall 74.6% reduction in costs. And in turn, a reduction in abandoned transactions.

Best practice makes perfect

The FCA has taken an important step in empowering organisations on their SCA journeys. A business can now set the dial to where it feels most comfortable operating. But it’s important to remember that SCA was created to mitigate the shortfalls that have dogged transactions for years: high cost, high levels of fraud, low levels of customer satisfaction.

The final rule changes don’t change that. Opting to stay with older, less secure methods of authentication or relying on TRA won’t solve that.

Despite the shifting deadlines and definitions around SCA compliance, the best practices are still exactly what they sound like: best practices. And a solution such as Callsign will help you deliver that cost-effectively, regardless of where you are on your SCA journey. It’s not too late.

About Tim Burton

Tim Burton is an experienced authentication and fraud practitioner who has held numerous senior positions within both technology and business functions within the financial services sector – solving large-scale, omnichannel challenges within the UK, South Africa, Latin American, and European Regions. Tim’s mission statement is to simplify the complexities of authentication and authorisations, leading to improved decision making and better outcomes for consumers all around – a key driver for joining Callsign, where he is now leading the Solutions Engineering practice globally.

About Callsign

Callsign has a simple vision: we want to make digital identification seamless and secure. Our unique positive identification approach balances high security and user experience, allowing customers to interact online safely, with minimal friction, while ensuring that bad actors are blocked to protect customers’ identities and business interests.