Strong Customer Authentication (SCA) has come into force in the UK today, almost a year after its original deadline passed.
SCA was originally meant to be implemented in March 2021 but was delayed due to the effects of the pandemic. It was then reset for 14 September 2021, however this was also delayed, with 14 March 2022 set as the final date. According to FCA, this further six-month extension was to ensure minimal disruption to merchants and consumers.
The regulation is a new requirement of the second EU Payment Services Directive that aims to add further layers of security to electronic payments. It will mandate banks to perform further checks when consumers make payments to confirm their identity.
Trulioo SVP, Identity Solutions, Garient Evans believes that instead of representing a weakness, the delays of the SCA’s implementation represent the regulation’s complex and nuanced nature.
He said, “Before its planned roll out, the FCA announced an 18-month delay after industry stakeholders expressed concerns about readiness and the implications for both e-commerce merchants and consumers. The pandemic also prompted the FCA to further delay enforcement of SCA compliance.
“I wouldn’t characterise this as a deficiency, rather, it speaks to the complex and nuanced nature of firstly, introducing regulations that are aimed at mitigating fraud and financial crime and secondly, how organisations looking to satisfy these requirements need time to develop compliance programs and systems that establish trust with consumers.”
Since the onset of the pandemic, the rates of financial crime have shot up massively. This has led to many businesses and consumers scrambling for better ways to protect their financial security. Does the SCA regulation represent a potentially vital method for payment in this respect?
Evans remarked, “As digital transactions surged because of pandemic lockdowns, so did fraud. This shift to a cashless society prompted bad actors to seek out new avenues and ways to facilitate fraudulent activities. The extra layer of security that the SCA will provide is poised to benefit legitimate consumers while shutting fraudsters out. However, organisations need to ensure they are carrying out the authentication in a secure way, and in a manner that doesn’t compromise a positive user experience.”
The risk of SCA become a hindrance in the payment process is a worry that may be well founded in the eyes of some companies. Neil Smith – head of strategic partnerships and business development at fraud prevention firm Forter – believes that while the SCA can benefit payment security, it could potentially negatively impact the customer experience at a key time when customer authentication is becoming more key.
He said, “SCA creates a lot of friction for consumers, as it forces them to perform an additional layer of verification – for example, the use of one-time passwords. My belief is that as an industry we should be driving towards the use of behavioural science for identity verification rather than interrupting the customer journey and creating friction for users which costs merchants dearly.”
Are there any roadblocks to the uptake of SCA in the UK? According to Evans, this additional regulation may pose challenges for ecommerce merchants and platforms that worry this additional step of authentication can cause undue friction for a user, prompting them to abandon their cart or cancel their purchase.
“That’s why it’s important that merchants carefully optimise the customer journey and choose technologies that offer secure yet simple forms of authentication, for example, we are widely accustomed to providing biometric information to unlock our smartphones. Creating experiences that are safe, compliant and convenient will be the biggest roadblocks for UK merchants and platforms.”
In the eyes of Smith, one of the key challenges to the uptake of SCA is the ability for merchants to find the time and resources to optimise their implementation of SCA in order to reduce friction and minimise revenue loss.
While the SCA implementation has not been delayed again, Evans stated that it was definitely possible that the industry could see changes made to SCA measures as its implemented industry-wide, “Like many anti-money laundering laws and regulations, there are continuous updates that need to reflect changes in consumer behaviours, fraud threats and advancements in technologies.”
Pros and cons?
The introduction of SCA comes at a time where fraud is on the up, with financial criminals regularly finding new ways to crack their way into people’s bank accounts. The new regulation, however, is not a be-all-and-end-all for payment security, with not any companies viewing the new regulation as the answer to all of the problems in payment security.
Signifyd MD EMEA Ed Whitehead commented, “The new payments regulation, is a once-in-a-generation change with the potential to massively disrupt an enterprise or to push an enterprise ahead of its competitors when it comes to customer experience.
“But while SCA itself will be a vital pillar of protection for merchants and consumers alike, there is more to fraud and more to fraud protection than simply deploying an SCA solution. It is not, as some have mistakenly assumed, the only fraud solution a merchant will ever need, and one only need to look to the European countries where enforcement has begun in order to understand the limits of SCA’s fraud protection.
“Many transactions are not subject to SCA. Whilst this is a saving grace for merchants who are worried about online customer experience, it means they will still be vulnerable to fraudsters who will inevitably target the transactions which are exempt from this added SCA layer. Merchants should also consider the fact that a low-fraud rate will be vital for providing a top-notch customer experience once SCA is enforced and this is only possible by ensuring they have the most robust defences in place.”
Whitehead underlined that fraud rates and risks can vary by retailer and even by retail vertical. However, as the SCA rolls out across Europe and becomes enforced in the UK, he remarked that it is clear the new regulation is not a complete silver-bullet fraud solution and merchants will need to consider other fraud solutions to shield their companies and maintain excellent online customer experience.
Are banks ready?
One of the crunch questions ahead of the regulation’s implementation is undoubtedly whether banks are ready for its introduction. Adam McElroy, director of cybersecurity at KPMG UK stated, “Banks have been preparing for a successful launch of SCA since September 2019. Ahead of the next deadline on the 14th, many financial service providers are now updating their consumer applications and finalising communications to both commercial clients and customers – therefore, we should expect them to be ready to step-up their authentication measures when the deadline arrives.”
McElroy remarked that he hoped all payment processor banks have made a ‘successful and seamless transition to SCA’ and will continue to improve consumer confidence in the digital economy.
He continued, “Recently, financial institutions have been faced with rising fraud rates as well as an intense period of change and uncertainty which has cast doubt in the eyes of the consumer in banks’ ability to keep their assets safe and support them through times of need. But this new added layer of security will put more ownership in the hands of the consumer in terms of sharing their personal verification information, helping to restore that all important trust factor.`
“Facilitated through Open Banking, banks are now at the heart of the digital economy – strengthening the connection between a bank and their customers through SCA should engender deeper trust and revitalise people’s confidence in modern banking.”
Will there be uptake?
A key risk that has been considered with the introduction of SCA is whether all companies are ready to start making their payments secure through SCA. Research from payment platform Ayden has found that 44% of UK firms still don’t have a solution in place as the SCA comes into power.
According to Ayden UK managing director Colin Neil, this creates a major hurdle for those firms, “Not only do they (companies) risk falling foul of regulators, they may also find their customer experience suffers. One of the concerns brands had about this legislation was that the additional authentication process would harm their conversion rates.
“SCA may seem like an inconvenience in the short term, but in the longer term it will be a vital tool for businesses to manage risk and reduce fraudulent transactions. It will also demonstrate a commitment to consumer security which will help build trust and strengthen loyalty.”
Copyright © 2022 RegTech Analyst
Copyright © 2018 RegTech Analyst