- Security TWENTY
- Women in Security
From September 14, new European Union (EU) rules will start to apply that affect how banks or payment services providers verify their customers’ identity and validate specific payment instructions. The new rules, called Strong Customer Authentication (SCA), are for security of payments and to limit fraud during this authentication process.
The UK financial regulator the FCA has agreed an 18-month delay in SCA by the e-commerce sector – card issuers, payments firm and online retailers. The FCA points to the recent opinion of the European Banking Authority (EBA) which set out that more time was needed to do SCA given the complexity, a lack of preparedness and the potential for a significant impact on consumers.
Jonathan Davidson, Executive Director for Supervision – Retail and Authorisations, said: “The FCA has been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments is not a fraudster. While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves; so we have agreed a phased plan for their timely introduction.”
The FCA says that it will not take enforcement action against firms if they do not meet the relevant requirements for SCA from September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. At the end of the 18-months, the FCA expects all firms to have made the changes and undertaken the required testing to apply SCA.
Jason Tooley, Chief Revenue Officer at Veridium, an authentication product company, says: “It is disappointing to see such resistance from the financial services sector towards integrating Strong Customer Authentication into its services. Financial institutions and payment service providers have had nearly two years to prepare since the initial announcement, and there is no valid excuse for the delay in its enforcement apart from an unwillingness to participate. It would be interesting to understand the prioritisation of PSD2 Strong Customer Authentication as I’m aware that a number of financial services organisations viewed this as a business differentiator.”
“Whilst it is true that consumers will see minor changes to their day-to-day spending, the additional layer of security on higher value payments will enable consumers to benefit from safer and more innovative electronic payment services. The impact on consumers must not be overlooked by the lengthy delay in enforcement; Strong Customer Authentication will mean consumers are more confident when buying online – not act as a deterrent to sales as some have incorrectly suggested.
“There are technologies in the market which have the potential to alleviate the challenges posed by the regulation. True multi-factor authentication solutions can facilitate financial services institutions enhancing consumer confidence and creating a secure experience whilst ensuring the customer has a frictionless user journey. Basing the digital authentication process on combining the customer’s own technology with an open biometric approach and true step-up intelligence, will allow financial institutions to meet the regulatory requirements sooner rather than later.”
And Nabeel Saeed, Senior Product Marketing Manager for account security products at API-based communications platform Twilio, said: “The extra steps PSD2 adds to the shopping experience could be viewed as a negative side effect of regulation. However, proper compliance with PSD2 is critical to ensuring the continued growth of online and mobile commerce. The retailers that ‘win’ in this respect will be the ones that preserve a seamless customer experience via new technology that best balances security and compliance with scale and user experience. With the breathing room now given by the FCA, retailers should carefully consider authentication methods and should seek out one which will least disrupt the customer experience (while still making them PSD2 compliant).
“Mobile phones are already an integral part of the online customer journey and strong customer authentication doesn’t need to be a clunky, disruptive addition to the customer experience. In the financial space, where fraud and cyber attacks have been front and centre for many years now, companies have already been looking at authentication methods and have generally settled on mobile app-based push-authentication as the best means of doing so. This is because, unlike other forms of 2FA, it only requires a single touch from the user to approve or deny a transaction and can be done in a company’s existing application. Using APIs, retail businesses can follow their financial services counterparts by making PSD2-compliant additions to their current model, improving security without negatively impacting the customer experience.”