Strong Customer Authentication Exemptions Can Help Your Customer Experience
This must be the most popular word regarding implementation of all the requirements from the revised Payments Services Directive (PSD2).
We’ve heard all about it: resources dedicated to adjusting the technology to the legal requirements; difficulty navigating the realm of rules included in the directive and technical standards; concerns about not being able to meet deadlines set by regulators; concerns about the potential impact on customer experience and consequently, the business.
This last challenge has led to many interesting conversations. PSD2 certainly has an impact on customer experience due to the requirements for secure authentication and transaction authorization. To meet these requirements, financial institutions (FIs) need to apply Strong Customer Authentication (SCA) by default for a multitude of user actions in remote channels. Depending on how it is implemented, this can add friction to the user experience, which in turn can lead to customer abandonment.
Facing the deadlines for SCA implementation, some FIs may have initially focused on compliance, postponing the customer experience conversation. This conversation is now gaining in importance as FIs look for improvements to the user journey – namely, to limit friction to the necessary minimum. In this blog, we look at the role SCA exemptions can play.
Positive Customer Experience
First, let’s define what a positive customer experience means. The digital banking channels cannot be compared to the in-branch experience. Instead, FIs compete with other players in the digital space: retail platforms, social media giants, neobanks, fintech startups, etc. Part of the challenge for FIs is the need to rapidly develop expertise in the realm of mobile apps: reducing the number of clicks, rethinking the user flows, or finding new ways to engage with the customer.
Financial institutions understand that customers have a low tolerance for friction. Attracting and retaining customers means offering a seamless and intuitive digital experience, including a streamlined authentication process. A customer going through the payment flow should only experience an authentication challenge when the risk is above a certain threshold. In many cases, like high-value money transfers, authentication challenges build the customer’s confidence that protective security measures are in place. However, in the case of routine low-value operations, being asked for multi-factor authentication (MFA) can become frustrating.
Time and ease-of-use matter more than ever. Overcomplicated and rigid authentication flows build frustration – especially as the mobile channel becomes an essential part of the banking experience. In many regions, mobile banking already is. According to Forrester in The State of Digital Banking, 2021, 68% of UK online adults use their phone at least monthly for banking, while in Asia, “mobile banking is the most popular banking touchpoint.”
PSD2, with its strict requirements around SCA and transaction security, arrived like a revolution for financial services and in particular, e-commerce and payments. While improving security, it was obvious from the beginning that it would affect the customer experience, adding extra steps and checks to the payment flow. The concern is that, overall, these requirements would lead to an increase in transaction abandonment and customer churn.
To understand the impact of PSD2, let’s have a quick refresher on the most significant changes for consumers. First, the revised Payment Services Directive gives people insight into their financial data by enabling secure information sharing between FIs. By setting the ground for Open Banking, it enables exchange of data between different banking operators, which means that, in some cases, consumers can manage all their bank accounts from one mobile app. This is a terrific move towards a better banking experience.
Second, PSD2 establishes certain security standards to protect online financial interactions. Among others, SCA was introduced in PSD2’s Regulatory Technical Standards (RTS) to enhance payments security and reduce fraud. It requires FIs to authenticate customers by using at least two mutually independent authentication factors. This raises the bar for fraudsters: even if they manage to hack the password, they will still need to figure out the other factor, which decreases the chance of fraud.
Strong Customer Authentication Exemptions
SCA is mandatory for most online payment methods across the European Economic Area. It can be a challenge since it introduces more steps into certain authentication scenarios. While it is too early to assess the impact (deadline for the full scope implementation of SCA was 31 December 2020), one study estimates that Europe’s e-commerce business might lose €57 billion in the first year after SCA enforcement due to added friction at checkout.
On the other hand, merchants who do not follow the SCA requirements will experience serious issues, too, since banks will have to decline such transactions. According to the recent update from CMSPI, nearly €89 billion in retail is “at risk of transactions failing, technical errors occurring, and ultimately good customers being forced to cancel their purchases.”
Does this mean that FIs and merchants are obliged to build SCA into all scenarios? Do consumers always need to go through multi-step authentication (like entering the PIN when buying a coffee)? Luckily not.
Chapter III of the Regulatory Technical Standards introduces the magic word: SCA exemptions. These exemptions were created to compensate for the expected negative impact on the rate of successfully processed transactions. In general, certain criteria apply in order for an exemption from SCA to be allowed. While transaction monitoring is mandatory for all of them, eligibility for certain exemption cases is subject to applying increased fraud monitoring and reporting.
Examples of exemptions use cases include:
- Recurring transactions: These can be exempted from SCA if the value, the recipient, and the recurring cycle are the same, like in the case of subscriptions.
- Low-value transactions: An exemption can be applied to a certain number of low-value (less than €30) transactions, or contactless transactions such as those at parking terminals.
- Trusted beneficiaries (payees): This is interesting for online banking, when the customer safe-lists a specific recipient. It is also interesting for e-commerce, if the customer, after authenticating their payment, requests the issuing bank to mark a specific merchant as trusted. In such a case, SCA will not be mandatory for later transactions if the bank agrees to apply this exemption.
- Low-risk transactions: Another example is low-risk transactions, with the “low-risk” label determined by the bank based on a real-time transaction risk analysis of multiple data points (like the spending pattern, abnormal location of the payer, and more). This exemption is the trickiest since it requires extra analysis, in addition to the general transaction monitoring requirements. For example:
- The fraud rate must be equivalent or below the reference fraud rate.
- The amount of the transaction cannot exceed the Exemption Threshold Value.
- The Transaction Risk Analysis (TRA) standards have been met, meaning that the real-time TRA should be able to identify the following factors: abnormal spending or behavior, device and software access, malware or known fraud scenarios, abnormal location of the payer, and the payee location’s level of risk.
A detailed description of the requirements, together with the features of a fraud monitoring system that can help meet these requirements, is available in our white paper: Enabling PSD2-Compliant Fraud Monitoring.
Improving Security & the Customer Experience through SCA Exemptions
Successfully applying SCA exemptions to flexible, adaptive authentication flows is one of the solutions to reducing friction and solving the customer experience challenge. In reading through the list of exemptions, you will notice they are all based on data analysis, even though the range of data differs from one exemption case to another.
It is important to take the following into consideration when planning exemption-based flows:
- Sufficient quality data: Digital channels equip fraud analyst teams with a powerful weapon: data. This ranges from data collected from the user’s device to contextual data regarding the user and their account (including historical actions and spending patterns). The purpose is to create a complete and accurate picture of the context around the transaction.
A certain scope of transaction monitoring is mandatory for all payments (according to Article 2 of the RTS). That is why, when collecting data, FIs cannot only look at the scope listed under a specific exemption. They need data in order to be able to evaluate the fraud risk of a transaction at any point in time
- Reliable data analysis: A reliable fraud monitoring solution is necessary for all transactions, both exempted and not. Ideally, to provide correct output, it will combine business- and risk-driven policies powered by a rules engine and machine learning. For example, in case of the “trusted beneficiary” exemption, a fraud monitoring system will not only link the trust level of the recipient with the SCA requirements associated with it. Through machine learning, it should also evaluate the risk level of each transaction, even for “trusted” payees. The bank will be notified in real time if the level of risk associated with a transaction to a certain recipient, changes.
- Proper actions and workflows based on the results of the analysis: Data collection and analysis provides a result, which can be incorporated in advanced, flexible authentication workflows. The transaction will be released if its risk level is sufficiently low. Exemptions from SCA can be included in these flexible workflows, with the risk engine constantly analyzing data in the background in real time. This process does not delay the execution of the transaction. Plus, it benefits the customer experience in other ways. If the criteria for the exemption are met, the customer will go through the process in the blink of an eye. If the anti-fraud engine flags a transaction with a risk score exceeding a defined threshold, a different workflow will be applied, stepping up the authentication challenge so it is commensurate with the risk.
- Reporting: Reporting on fraud rates is a requirement for risk-based exemptions. Therefore, it is essential to implement a comprehensive reporting tool that detects both an increased transaction risk level as well as when changes in the exemption policy need to be applied. Ideally, such a tool includes a set of pre-defined report templates that cover the RTS requirements and the guidelines on fraud reporting under PSD2.
While we have yet to see how Strong Customer Authentication will change the world of payments, we expect more FIs and e-commerce merchants to implement flexible, intelligent authentication workflows that guide the customer through the transaction in a seamless way.
As the trusted security partner to the world’s leading banks, OneSpan provides expert industry and technical guidance for PSD2 SCA compliance. We help FIs understand the value of adaptive authentication solutions based on risk analysis, which help with PSD2 compliance while removing friction from the customer experience.