Transforming PSD2 and Strong Customer Authentication into opportunities

Saurabh Bajaj, Feedzai: PSPs that use machine learning for fraud prevention can breathe a sigh of relief, knowing they have the technology in place to decrease fraud rates and help them succeed in the world of PSD2

Although some delays were recently announced for Strong Customer Authentication (SCA), an important part of PSD2, the pressure for all payment service providers (PSPs) to make sure their systems are compliant and customer-centric continues to mount. As fraud increases, customer behaviours change, and a more competitive Open Banking market becomes the reality, PSPs have to work continuously to manage risk and reduce friction. This includes increasing security measures around customer authentication to prevent customer attrition in this hyper-competitive era.

However, there are critical steps PSPs can take to make their goals easier to achieve. This includes examining the exemptions found in Article 18 of the Regulatory Technical Standards, which support PSD2 and set out Strong Customer Authentication (SCA) requirements, and the goals of PSD2. By drawing on this knowledge, PSPs can leverage certain capabilities to easily stay compliant while improving the client user experience. This paper explores these steps, revealing how a robust machine learning (ML) solution is key for PSPs that want to turn regulations into opportunities. 

SCA: exemptions and implications

One of the main PSD2-related areas of focus is SCA, which aims to increase trust through authentication and improve security. It requires PSPs to provide two out of the three following items to verify identity:

• something you know (password, response to a security question, PIN);

• something you have (two-factor authentication via mobile phone, hardware token, smart card);

• something you are (fingerprint or facial recognition).

SCA isn’t applied to some transactions that are considered low risk, including balance checks, low-value transactions (<EUR 30 for a single transaction), and the number or amount of transactions relative to the last time SCA was performed. However, since one of SCA’s aims is to increase security for transactions that can’t immediately be deemed as low-risk, these exemptions do not cover all low-risk transactions. For instance, if you have a nice dinner with a friend and later reimburse them EUR 100 for dinner, you must undergo SCA even though the transaction seems low-risk to you. 

Due to the exceptions and the fact that not all of them cover genuine low-risk transactions, customers can easily become confused and irritated as to why they’re encountering friction. For instance, they may be baffled about why some low-risk transactions are subjected to SCA and others are not, or why they themselves are put through SCA when they haven’t committed fraud. As valuable customers are exposed to more friction through unnecessary SCA, they may flee to competitors that can validate these transactions without SCA intervention.

In addition to the exemptions to SCA, there are also exceptions to these exemptions. This is where machine learning can be used – when it comes to remote transactions that fall above EUR 30 and up to EUR 500.

Machine learning: a customer-centric and competitive advantage

This is an exception because fraud prevention platforms that use machine learning to identify and prevent fraudulent activity directly help decrease fraud rates of the banks they service. These platforms use advanced ML to avoid unnecessary SCA for users because they drive fraud rates down to a level that is deemed allowable for exemption. See below the reference fraud rates for certain transaction values:

Robust machine learning makes these rates easy to achieve.Platforms with these capabilities provide a customer-centric and competitive advantage to the PSPs that use them. 

PSPs that don’t use machine learning to drive down fraud rates are at a significant disadvantage: this exemption to SCA (i.e. exemption about remote transactions between the EUR 30 - EUR 500 threshold) wouldn’t apply to them. More specifically, banks that don’t take advantage of the SCA exemptions for transactions in the defined threshold are essentially asking their customers to undergo unnecessary friction, simply because they are unable to accurately identify transactions as low-risk or high-risk.

In an Open Banking landscape, where more and more competition is being introduced, it’s critical for banks to reduce customer friction to avoid driving customers and applicants away. To do so, banks must eliminate SCA when they can.

A platform and partner for improved security

PSD2 aims to increase competition in the banking landscape, which benefits consumers and helps even out the playing field for established and emerging PSPs. However, opening up the bankinglandscape to more competition opens it up to more fraud. 

As a result of PSD2, any institution that holds customer data and account information needs to provide to new PSPs access to that data and account information via an API. This allows customers to choose how they view their data, either through their traditional banking accounts or through new third parties that consolidate all of their account information in a single platform. Although this is great for the customer, it means that PSPs now need to watch out for fraudsters and make sure they’re sharing sensitive data information with other parties securely. 

This is where having an ML fraud prevention platform is imperative to data security, as data is shared more openly amongst various players. This way, PSPs can prevent and quickly detect fraud without raising their operational teams’ costs or interfering with customers’ experiences.

Furthermore, since fraudsters can attack multiple payment methods, PSPs may find it helpful to partner with a machine learning company that works on the full life cycle of the payment industry, which could easily guide the clients in AI techniques that are used by other players in the life cycle (e.g. merchants, processors, and acquirers). 

PSPs must consider a tremendous number of factors when it comes to complying with regulations while trying to outmanoeuvre their competition. However, those that use machine learning for fraud prevention can breathe a sigh of relief, knowing they have the technology in place to decrease fraud rates and help them succeed in the world of PSD2.

The editorial was first published in the Open Banking Report 2019, which offers insightful editorials, interviews and expert analyses that paint an exhaustive picture of the Open Banking regulatory shifts and the important extents in which this impact the industry.

About Feedzai