SCA exemption: the perfect storm for machine learning

By Peter Caiazzi, Senior Vice President of Product Development, TAS Group

8 October 2018

The payments community is well used to the abundance of acronyms that has become its legislation of late, but less so to the grey overlaps between various directives and standards - least of all Strong Customer Authentication (SCA) within the online and e-commerce payment experience.

But Payment Service Providers (PSPs) are increasingly finding themselves in quite a predicament, as high customer expectation drives a seamless payment experience while also demanding additional security; all this in the face of ever more sophisticated Authorised Push Payment (APP) fraud.

The Financial Conduct Authority (FCA) and European Banking Authority (EBA) – through PSD2 – have both been vocal of the new SCA measures required of PSPs, most recently highlighted by the Financial Ombudsman Service.

The solution? The fight against fraud has also matured emerging technologies and thrust them into the legislator’s limelight as solutions to the seamless UX/strong authentication paradox.

Notably, firms like TAS Group have been investing in machine learning and neural networks to apply artificial intelligence (AI) to learn from each payment iteration or sequence to paint a picture of what ‘normal behaviour’ looks like for each customer. With normal behaviour accounted for, PSPs can dedicate resources to flagging abnormalities, thereby making the fight against fraud far more cost effective and bumping up the demand for machine learning solutions at the same time.

Following industry appeal and particularly complimentary to the concept of machine learning techniques, regulators have accepted that risk analysis parameters can be applied to make fraud monitoring more effective and efficient. They have been forthcoming in providing guidance on how to determine which transactions can be exempt from SCA; namely the EBA’s Transaction Risk Analysis (TRA) and EMVCo’s Risk Based Authentication (RBA).

Transaction-Risk Analysis (TRA)
By: European Banking Authority
Where: EBA’s Regulatory Technical Standards (RTS) on SCA and Common and Secure Communication (CSC) in the scope of PSD2. Section 2.2.2 of the final report.
What is TRA? TRA must be applied to allow exemption from SCA for a remote electronic transaction when the PSP has sufficient real-time monitoring and reason to believe that the transaction exhibits normal behaviour (specified by predefined parameters) in order to provide evidence to auditors that the transaction was indeed ‘low risk’.


Risk Based Authentication (RBA) 
By: EMVCo, the card-network standards body, in conjunction with VISA, MasterCard et al.
Where: EMV 3-D Secure protocol 2.0 (subscription only)
What is RBA? RBA must be applied to allow exemption from SCA when real-time risk analysis determines a transaction to be low risk in remote card not present situations (CNP), when checks and criteria are met. These criteria verify normal behaviour by ensuring the transaction is consistent with the usual IP address, browser and device etcetera.


Both TRA and RBA aim to consolidate an improved anti-fraud function while ensuring that basket abandonment and customer service satisfaction remain central to any PSP.

In the case of the latter, it would appear that a risk-based approach to fraud monitoring is working. A recent VISA Europe case study performed over the last few years in the UK market found that there was an 85% reduction in checkout time, 70% reduction in payment abandonment and no increase in total fraud compared to previous SCA solutions.

The same report found that: “Visa observed that independently of the SCA method used (SMS, Password, Bank credentials, etc.) when customer intervention is requested the abandonment rate is between three to five times higher than when authentication happens frictionless via RBA.”

As similar as both exemption conditions sound, adhering to either TRA or RBA should not be an option. While there is clear overlap between the two, both are vital in the anti-fraud campaign, not only because they encourage a culture of good regulatory reporting. But crucially, it enables PSPs to deliver the frictionless payment experience that customers want (and expect).


The perfect primordial soup for machine learning

Already an area receiving the hype that comes with every new technology, thanks to regulators and SCA exemption, machine learning may find itself quietly sliding into mainstream anti-fraud solutions long before it fulfils prophecies of generating high quality trading algorithms, genetic disease prevention or natural language processing.

While the theory behind the technology is nothing new, mainstream adoption has grown hand in hand with the availability of big data.

Industry demands as well as regulatory blessing have led to strong advocacy to allow conditions with which to make SCA exempt, crucially keeping the payment experience seamless and in line with customer and market demand while simultaneously reducing false positives and the resources needed to monitor every transaction.

As fraud levels increase as fraudsters adapt more quickly than the measures employed to stop them, machine learning has an opportunity to come into its own, relying on its own inherently adaptive qualities.

This environment creates something akin to the primordial soup for machine learning and perfect conditions for the emerging technology to flop onto land and become a mainstay in many a firm’s anti-fraud measure.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development