At the end of April, the FCA announced that due to the impact of Covid-19 they were giving the industry an additional six months to comply with Strong Customer Authentication for e-commerce.
This takes the UK to a revised deadline of the 14th of September 2021. While it’s important to maintain momentum on implementation, the extension does give firms the chance to get it right this time.
Many banks and issuers had been looking into tactical solutions to meeting the compliance deadline on day one. The extension gives them the opportunity to look into more strategic approaches.
What opportunities does this extension bring to banks and issuers?
Historically the priority has been on achieving compliance on PSD2 itself, with many other business factors being classed as secondary.
This delay actually gives us more time to think about those other important factors that have potentially been overlooked. Most notably:
- How can I reduce operating costs as the MVP is hugely reliant on costly out of band delivery mechanisms such as SMS?
- Are my authentication controls aligned to authorization controls?
- Have I simplified my decision-making process enough across all aspects of the fraud and risk management lifecycle?
- Customer experience – am I using the right authentication factors for my customers?
- Is the UX right for my brand?
And this aligns with the FCA's views on finding the right solutions for customers. The FCA also recently welcomed the industry recommendations put forward by UK Finance to focus on behavioral factors as an authentication method.
This would be instead of a knowledge factor such as asking customers to input a PIN or a password. Which as we know can introduce additional friction into the check-out process and is at a high risk of fraud.
Looking at the options the banks have, the EBA published an opinion paper that outlines a number of different ways you can achieve inherence through the use of biometrics or customer behavior.
How do you go about selecting a biometric solution and what kind of things do you need to be looking out for?
So, I have been a big advocate of positive biometrics for some time. Identifying a customer when they are interacting with a previously bound device is less forced and far more organic in the transaction flow.
Over time, behavioral biometrics has the potential to displace the knowledge factor. Many organizations have already begun collecting behavior about customers, so I believe we will be well placed to introduce this for 3D Secure when the time is right.
Behavioral biometrics is not only good at positively identifying a specific customer but can also quickly identify bad actors. For example, when criminals use technologies such as BOTs or RAT software to control transactional flows without the customer's knowledge.
It's important that any approach you take to utilizing behavioral biometrics addresses both the positive identification of the customer and bad actors committing fraud.
The solution that you adopt for behavioral biometrics must offer low margins for error. This minimizes unnecessary fallbacks to less favorable authentication types. We detect genuine behavior and fraud in the same check which keeps equal error rates at a minimum.
It’s about positively identifying the individual, so you satisfy the regulation and at the same time, deliver the best possible customer experience.
What’s more, both the FCA & UK Finance have said that in the longer-term banks should be reducing their reliance on the use of SMS OTPs for authentication. Other methods using the secure binding of a device to achieve possession have already been recognized by the EBA. And these methods are much more secure, deliver better customer experience and are cheaper for issuers and merchants. This is something we are already working on with a number of financial institutions.
Banks need to be using this extension as an opportunity to find the right long-term solution for them and their customers.