SCA. Or why your finance apps are driving you mad
In her latest column for Forbes, 11:FS Head of Research Sarah Kocianski examines the new set of authentication requirements and asks if consumers and their bank are prepared.
If you use a European bank or fintech, you’ve probably received an influx of emails and notifications recently from your financial services providers informing you of changes to their authentication processes. This is the result of the Strong Customer Authentication (SCA) requirement, which was implemented on 14th September.
To briefly explain (hopefully without getting lost in the convoluted world of financial regulation), SCA is part of the EU’s PSD2 regulation and has been written into law by all EU countries.
It requires two independent authentication elements that must be used to verify certain types of payments including those made online and with contactless cards. This applies where both payer and payee are in the region.
Businesses must ask customers for any two of the following:
- A knowledge element (something only the user knows, e.g. a password)
- A possession element (something only the user possesses, e.g. their smartphone)
- An inherence element (something the user is, e.g. a fingerprint)
The regulation aims to tackle rising payment fraud rates. Transactions that don’t meet these new authentication requirements or qualify for any exemption may be declined from 14th September onward.
At least, that was the plan.
The industry has struggled to get its act together to the point where the European Banking Authority (EBA) has allowed an extension for firms to implement SCA. In the UK, that period is 18 months.
What has actually happened?
The introduction of SCA has been surrounded by confusion and misinformation. UK outlets reported that after making five contactless payments, a customer would be required to enter their PIN or have their transaction refused. While this is some payment service providers’ (PSPs) interpretation of the rules, it’s not a requirement.
The flaws in other banks’ implementation became apparent when it was revealed that customers could only use a smartphone to provide a second authentication factor. That was somewhat limiting for those who didn’t own a device, leaving them largely unable to make online purchases.
There had also been widespread fears – which have not yet proven to be true – that SCA would cause significant damage to the e-commerce industry. That said, SCA is far from fully rolled out, so we could still see this happen.
What we have seen is a number of creative and very different interpretations of SCA from across the finance and payments industry.
The regularity of re-authentication being required
In relation to contactless payments, some PSPs have decided to require re-authentication after a set number of transactions; others have decided instead they will make the user take action after a certain value of transactions has been made (e.g. Monzo); a third group will work on the basis of whichever limit is reached first (e.g. Starling).
The first time most customers will know about the implementation of SCA is when their card is declined for seemingly no reason. All these approaches are compliant with the rules, but you can see how customer confusion and frustration might occur.
It’s worth pointing out at this stage that Apple and Google Pay are exempt from the requirements in most cases because they require the use of biometric authentication or a screen lock in order to activate them in the first place.
When it comes to online payments, things are equally murky for many shoppers. The same rules apply regarding authentication: card issuers are responsible for ensuring regulations are followed, but they have to be embedded in the merchant’s payment flow.
3D secure – where you get a pop up after you enter your card details and you have to enter a PIN, password or code – is widely used used to authenticate online purchases. However, pre-SCA this was only the case when the purchase was judged by the issuer to pose a high risk.
Now, as SCA rolls out in full, the use of 3D secure will become the norm rather than the exception. The ways in which customers complete the authentication may also change. Rather than entering a password to approve a transaction, for example, you may now receive a notification requesting you use biometrics on your phone.
The fear is that the combination of having to provide additional authentication almost every time you make an online purchase, alongside getting used to new methods of proving identity, will lead to frustrated shoppers who give up rather than completing their purchase, damaging the merchant’s sales. This has yet to happen, but it’s one of the main reasons the EBA has delayed enforcing the SCA rules.
As if that wasn’t enough disruption, some providers (largely banks) must now change the way their customers log in to online accounts or apps. Typically, you can make payments to companies and other people from within your online account or app without additional authentication if you have sent them money before.
The problem is that many providers don’t require multiple factors of authentication to log in, meaning these payments are not SCA compliant. For example, if your bank only asks for your user name and a password or memorable data, those are each the same type of factor (something you know).
If your bank hasn’t sent you a message saying it’s changing the way you log in, that’s almost certainly because it already has an SCA-compliant login method in place. Most digital-only banks allow access on only one phone (possession), meaning that any other factor they ask for, such as a fingerprint or a PIN, is a second factor.
What is the best approach?
The “best” approach will depend on each customer’s individual preferences and spending habits. Yet most PSPs are not in a position to tailor SCA requirements on a customer-by-customer basis.
What’s certain is that the variation in the circumstances under which customers are asked to re-authenticate is sure to result in customer confusion. That’s especially true given that most European consumers are multi-banked – their remembering different requirements for different payment methods is unlikely to ever happen.
In the meantime, the best most PSPs can do is to ensure their authentication method(s) enable the most frictionless and intuitive customer journey as possible. More on that in Part 2.