Banks risk taking a “retrograde step” and irritating customers if they attempt to implement secure customer authentication (SCA) “in a technically easy, but not particularly consumer-friendly way,” according to Envestnet Yodlee vice president for EMEA, Matt Cockayne.
SCA, a mandate of the second Payments Services Directive (PSD2), comes into force in September and requires payments to be authenticated using two out of three elements: a password or security question; a phone or hardware token; and a fingerprint or face ID.
To address these needs, a second version of the 3D Secure (3DS) protocol has been released by payment standard creator EMVCo. Where 3DS requires a user to be redirected to a separate webpage to input their details, 3DS2 requires around 100 data points to be sent from merchant to issuer. 3DS and 3DS2 will operate in tandem, with the latter based around tokenization and biometrics and the former using passwords.
PSD2 mandates that every 90 days the customer must reauthenticate each Account Information Service Provider (AISP) they have allowed to access their financial details. This is another unnecessarily clunky step for users, says Cockayne. “If you have to go back in and reauthenticate every single product you’ve used, it’s going to take a while and it’s going to be something you don’t want to do again. Luckily, the FCA is looking at this and exploring if app suppliers can refresh that consent.”
If users have to repetitively re-enter their details when SCA comes into force, they will soon become frustrated and are likely to resort to using the same insecure password for every account: “If each of the big banks decides to put SCA on its landing page for all products, that’s going to make it a friction-heavy journey for someone who wants to see all their financial accounts,” says Cockayne. “Whether it’s a loan, savings account, ISA or an investment account. If those products are also subject to the same SCA process, it’ll be bad for the consumer. They will always go for the simplest solution, which will end up with them having the same log-in details for every account. If the banks deploy SCA in a cheap way, they are going to see their fraud levels go up as consumers choose the path of least resistance.”
Financial fraud cost UK consumers £732m in 2017, with authorised push payments (APP) costing an additional £236m. UK Finance figures report that 58% of fraud involves payment cards, opposed to 16% for online banking and 1% for cheques. An estimated 4.7m of adults in the UK have been the victim of credit or debit fraud, according to a Compare the Market survey. A third of respondents (31%) use a browser’s auto-fill system to complete card details. More than half (56%) distrusted technology which automatically logged them into financial accounts.
When it comes to Open Banking and PSD2, it’s not a matter of consumer education, argues Cockayne. “There are plenty of think pieces out there which state that consumers aren’t aware of Open Banking or don’t know what it does, when actually it doesn’t matter. It’s about what services are going to be empowered by Open Banking and how customers can use financial data to help themselves.
“if you’re going to explain to a consumer: ‘you’ve now got to access your data this way and this is what it means’, just being quite clear and having simple language helps. Most people will click through terms and conditions anyway, but the clarity needs to be there. I don’t think it matters if people know what it is as long as they know how to use it. Do people know what HTML 4 is? Not really, but people like the features that it powers.