Industry Insight: Guidance on SMS OTPs for Strong Customer Authentication

Rachel Bentley

Tags:

PSD2 | Strong Customer Authentication (SCA) | Regulation | Mobile Network Operators | Insight | User Experience

"At the end January 2020 UK Finance issued their updated communication on Strong Customer Authentication (SCA). SCA is the requirement for customers to verify themselves when making online payments and the communication highlighted the importance of all parties being ready well in advance of the compliance deadline. There is also a focus on the use of SMS OTPs (the delivery of one-time passcodes by text message). It’s clear that whilst this is a short-term solution to achieving compliance, issuers must have a plan in place for alternative authentication methods.

Banks have become increasingly reliant on the use of SMS OTPs as a way of authenticating customers. It’s a reasonably easy solution to implement and it’s something that users have become familiar with and know how to use. However, there are a number of disadvantages.

Firstly, it’s not a great customer experience for online payments. There might be times when there isn’t a mobile phone signal, or the text message simply isn’t received. This prevents the user from completing the online transaction. This impact on customer experience has a negative effect on NPS scores and an increase in call center volumes. Understandably this is a big concern for issuers and merchants.

Secondly, it’s expensive for issuers who have to pay each time an SMS is sent.

Thirdly (and most importantly for the regulator), it’s a method that’s highly susceptible to fraud.  Through mechanisms such as sim-swap, call divert and SS7 attacks fraudsters are able to intercept OTPs and gain access to customer data.

It’s for these reasons that the regulator is pushing for firms to find alternative methods for secure authentication.

Longer term, biometric and mobile app-based authentication can provide a much more seamless payment journey. However, it is important to remember that this won’t suit all parts of society and there will be people that need different options. It’s important that we don’t exclude vulnerable customers.

It’s not about a one-size-fits-all approach but about banks being able to adapt the customer journey to suit the user’s needs.

Solutions such as Callsign’s platform give banks this flexibility so they are able to meet the compliance deadline. Whilst at the same time enhancing customer experience, reducing costs, and reducing fraud."

Click here to find out how you can reduce your reliance on SMS OTPs.


Tell a friend or colleague: