Robert Tharle, fraud & authentication SME at real-time fraud prevention, AML and risk management solution providers NICE Actimize, breaks down the impending September 14 compliance deadline for strong customer authentication (SCA) and PSD2.

For further reading, refer to Tharle’s previous two part blog series covering the threats of PSD2 and further actions ahead of the September 14 deadline. 

Ever since the EBA’s clarification statement back in June, changes were viewed as likely, with the FCA (Central Bank of Ireland too) now having made two statements on the September compliance dates. The high-level view of these changes includes the following delays:

  • 18-month delay to Strong Customer Authentication (SCA) for Ecommerce 
  • 6-month delay to enforcement around continuing use of screen scrapping for TPPs and lack of back up interfaces for Banks.

It’s worth stating what SCA compliance ruling is comprised of at this point. First, the SCA requires there to be at least two authentication factors, from a possible three when undertaking transactions. The three types of factors are, something you know (e.g. a password), something you have, e.g. a device and something you are, e.g. a biometric. Importantly the EBA’s latest guidance clarifies that the card data itself cannot be used for knowledge and that an OTP, say via SMS is acting as a proxy for possession of the phone (number).

What does this requirement mean in practice to a financial institution?

The FCA no longer requires SCA to be in place from September for E-commerce transactions. This change covers not only cards used on the internet to buy something but will also cover remote recurring card payments.  This provides enough time for solutions such as 3DS2.2 and Secure Remote Commerce from EMVCo to be rolled out effectively. Importantly, this also gives the opportunity for an industry-lead communications programme, similar to ‘I love Chip & Pin’ to be rolled out to boost education on the changes.

Whilst this delays enforcement for 18 months, it does not mean a complete delay of any changes to authentication for that long.  The UK Finance proposed managed rollout, suggest the following evolutionary timeline:

  • From February 2020 issuers will begin to undertake step-up authentication using risk-based authentication (RBA) and One Time Passcodes (OTPs), where this can be supported. 
  • In March 2020, issuers should be able to support 3Ds2.1/2 and test with supporting merchants. This will continue to be rolled out with merchants over the coming months as 3DS2.1/2 becomes more widespread, with communications to support.
  • From March 2021, full enforcement will come into place, along with transactions being declined where there is no SCA or relevant exemption.  At this point SCA solutions will have been matured to support biometrics and mobile app-based methods of SCA. However, as not all customers will have smart phones, a backup of behavioural biometrics (something you know) and an OTP (a proxy for something you have) for those without smartphones.

There will also be some leniency for the next six months for SCA-related to some Open API transactions. The Open APIs must be supported, but where a Bank did not have them available by 14th June 2019, TPPs will be able to continue screen scrapping, provided they do not hide their identity. Importantly SCA will not be required here.

This means that there are quite a few elements of PSD2 that are still required to be in place for September 14th.

Firstly, SCA will still be required for Remote Banking transactions where an exemption does not apply. This covers both online and mobile banking. With one UK bank, trailing voice banking via Google Home, this would also be covered.  Given it is only balances, this will only need to be every 90 days.

It will also still be required for contactless card transactions over 30Eur and cumulatively over 150Eur or after 5 transactions. Xpay will not require additional authentication and those in the Biometric card pilot will also be able to authenticate without a PIN whist using the contactless interface.

Perhaps more importantly, all PSPs, which include PISPs, must have fraud profiling that meets Article 2 of the RTS.  While article 2 does not specify this as needing to be real time the FCA’s guidance is that they expect it to be. If you are processing real time payments, then to not have real time profiling is going to cost you dearly as fraudster punish those without such capabilities. This profiling should also cover transactions (monetary and non-monetary) made via TPPs and include AISP as well as PISP transactions. 

In the case of remote banking, if the Transaction Risk Analysis Exemption (TRA) is to be used then the fraud profiling needs to be more sophisticated.  Such a fraud profiling solution should provide entity-based profiles, so this can cover TPPs, merchants, beneficiaries as well as your own customers. Understanding the normal behaviour for each of these entities and their relationships together is key for preventing fraud and reducing false positives.

A fraud management solution should also be able to take additional data sources, such as device, location, behavioural biometric and malware detection data into account, enriching the underlying data.

Lastly, the new fraud reporting regime is underway, and is still required to be adhered to.

As ever, there will be unintended consequences to such a delay.  This most likely is that it adds to an already confusing picture for consumers about what the authentication steps should be.  This means that an increase in social engineering is almost inevitable. Getting key communications to customers about what to do and don’t do over the next few weeks will be key.

This delay needs to be put to good use, so that well thought out fraud prevention and authentication systems can be designed, built and be in place ahead of March 2021.