PSD2: The Importance of Implementing SCA for Mobile and Desktop Banking

Posted February 6, 2019

PSD2: The Importance of Implementing SCA for Mobile and Desktop Banking

For banks racing to meet the September deadline to implement Strong Customer Authentication (SCA) as mandated by the EU’s Revised Payment Services Directive (PSD2), it turns out mobile may be the least of their worries.

Among other things, PSD2 stipulates that by September 14, adherence to the principles of SCA is mandated for all financial institutions, and although underlying fraud performance dictates the fraud thresholds at which they must be adopted, there is some flexibility with regards the choice of authentication. Although there are varying authentication options, it’s likely the most prevalent will be one-time passcode, push notification or a login/transaction supported by public key cryptography.

By now, many financial institutions have discovered that implementing SCA within the mobile channel is a relatively straightforward proposition when provisioned through a bank’s mobile app. But it’s important to note that traditional, browser-based online banking transactions through laptop and desktop computers must also be SCA-enabled by the September deadline too.

The problem: Some banks may struggle to meet this from not only this mandated requirement, but also their preferred balance of customer experience and fraud risk appetite. Some may choose to authenticate at the login phase, some at the transaction phase, and some on a combination of the two. But with that comes the complexity of cost, customer friction and customer awareness; and for these reasons a clear and consistent application of SCA, login might be the most effective and clear solution.

A Game Changer

For those just tuning in, PSD2 is the sweeping set of requirements that is fundamentally transforming the financial services industry throughout the EU. First proposed by the European Banking Authority (EBA) in 2015, the directive is aimed at modernizing a financial services industry that had grown increasingly encumbered by antiquated process, procedures and technology infrastructures that left far too many banks and their customers susceptible to cyber-attacks and online fraud.

Signed into law by member states in January 2018, the directive establishes important new requirements that dramatically enhances security, transparency, and competition throughout the industry.

The 30% Solution

As it turns out, one of the largest retail banks in the UK has found that while 70% of its customers have adopted its mobile banking app, as much as 30% of its customer base has not. A lot of these will be credit card only customers or hold only insurance products, but when you also factor in that only 25% are typically ‘mobile only’ customers, it highlights that challenges facing the industry. Customers still like the familiarity of internet browsers especially for large transactions and their month end accounting. Some do not yet have a smartphone capable of supporting the app, or PSD2’s SCA requirements. Maybe they simply don’t want to use mobile banking. Whatever the case, this a sizable portion of the bank’s customers, which easily represent a statistically viable proxy for retail banking customers EU-wide.

As the digital age has evolved, banks and retailers have been focusing on reducing friction, to the point that most don’t use step up authentication at all for logins, or electronic purchases. PSD2 now legislates friction in the digital experience.

And this autumn, consumers throughout the EU could face continued or potentially increased levels of friction as they are prompted to register for securely authenticated, PSD2 compliant mobile banking apps and alternative methods of authentication.

Did Consumers Get the Memo?

With the most disruptive change to consumer banking just over seven months away, consumers are largely unaware and currently unprepared for these new changes

Education and user experience will ultimately drive consumer adoption. With the explosive adoption of new challenger banks, e-wallets, and familiar tech giants moving into the financial services space, banks will need to adopt an increased customer-focused experience. As SCA is rolled out, there is an increased risk of consumer confusion, overrun call centers, and a tremendous amount of customer frustration and necessary remediation.

Faced with this we will likely see an increased mobile adoption and usage as mobile becomes the mechanism by which a customer can conduct both a transaction and its necessary authentication. But even with that increased adoption, that will still leave a proportion of customers that need an authentication solution for desktop browser activity, one that provides the same ease and familiarity that they are used to, but with the principles of SCA also embedded. Banks, therefore, need not only a seamless mobile SCA strategy, but additionally a browser-based one that makes digital channel adoption and onboarding as seamless as possible

The good news is that while web-based SCA could introduce significant customer friction and failure, it also represents an opportunity. After researching the usage patterns of its customer base, that major UK bank I mentioned turned to ThreatMetrix to adapt its Strong Device ID SCA solution to the browser-based web environment. Our public key, cryptography-based solution complies with the banks chosen customer experience appetite, as well as the SCA requirements of PSD2, and is now in active deployment

Key Considerations

Institutions should keep some key considerations in mind. The first is selecting a provider with proven success in the deployment of digital identity-based SCA across numerous industries and use cases.

The second is a strong focus on user adoption and user experience. ThreatMetrix has extensive experience in working through the complete user journey, ensuring that leading-edge capability can be easily adopted, is focused on the customer experience and meets the diverse needs of a modern, multi-device, multi-channel financial services customer

Next, institutions should work with their legal/compliance department and develop an effective relationship that manages risk, customer experience, as well as legal compliance, and clearly communicated their business and legal requirements to technology providers. It’s ill-advised to rely on solution vendors for legal counsel.

Lastly, get going. UK banks are likely to begin testing full user journeys with their customers from spring onwards. Considering the shock to the system that PSD2 and its SCA mandate may have in store for customers, the more you can test and refine your solution before September 14, the smoother things will go when it matters most.

To learn more about PSD2 and its implications and impact on payments, commerce and banking within the EU and beyond, download this white paper, PSD2: Revolutionizing the Payments Landscape.

Mike Nathan

Mike Nathan

Senior Director - Solutions Consulting EMEA , ThreatMetrix

close btn