Connect with us

Business

SCA EXEMPTIONS ARE A MERCHANT’S BEST FRIEND, BUT THEY DON’T COME WITHOUT COMPLICATIONS

Published

on

Shagun Varshney, Product Manager at Signifyd

 

When it comes to online commerce, much of Europe is living in a new payment regulation era — and the UK will soon follow.

It’s an era of two-factor authentication, exemptions, step-ups, transaction legs that are either in or out — and a more secure ecommerce shopping experience for consumers. Polling and industry anecdotes indicate that for many, SCA, which stands for Strong Customer Authentication, might as well mean Something Causing Anxiety. Merchants and consumers know something is changing, but exactly what, for whom and when, well, that’s a little unclear.

But there are ways that UK merchants and brands can embrace SCA by 14 September, the date on which the regulation will be fully enforced.

A quick refresher: SCA is required under the sweeping digital payment regulation known as PSD2. It is already being enforced through much of Europe. It is meant to better secure online checkout by requiring that shoppers be authenticated by two of three methods: something the user knows (such as a one-time passcode), something the user has (such as a mobile device) and something the user is (such as a fingerprint, facial recognition, typing behaviour).

The key to getting SCA right is to conduct the required two-factor identification without adding inconvenience to the checkout process. And that starts with understanding the exemptions and exclusions contained in the requirement and how those elements best apply to your particular business. Wisely deploying exemptions will allow a significant percentage of transactions to be exempted from the regulation — under the right conditions.

As you’ve probably guessed, establishing those conditions has become more important than ever. It’s also important to note that while exemptions and exclusions, which we’ll get to shortly, benefit merchants and their customers, control over whether they are available to a merchant is largely in the hands of a merchant’s payment service provider or a cardholder’s issuing bank.

 

In general exemptions — and their close cousins, exclusions — are available when an order meets certain conditions:

  • The order is low risk and low value.
  • The merchant and its bank have maintained a low fraud rate and the transaction meets certain value limits.
  • The transaction is considered “out of scope.” The list for these exclusions includes phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the European Economic Area — or “one leg out transactions.

 

One other exemption is available, but a consumer’s bank must agree to allow it in order for it to be applied. It’s called the “Trusted Beneficiary” exemption. It can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption.

Similar to exemptions, “out of scope” transactions can also be processed without SCA. In some instances SCA simply does not apply. Think phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the European Economic Area (this is where the “one leg out” phase is used). In the case of a merchant-initiated transaction, a subscription for instance, SCA needs to be performed only once to authenticate the buyer.

Visa, among others, has provided a specific list of exemptions and exclusions.

It becomes evident, scouring the Visa list, that while helpful, exemptions are also limited. Consider low-value transactions for instance. It’s great that transactions below  €30 can bypass SCA. But what if you sell jewellery, luxury watches, electronics, high fashion, home goods, sporting goods, groceries, auto parts or sell in any of the nearly limitless verticals that offer products or groups of products upon which consumers typically spend more than €30 on?

Oh and there is a catch: Even low value transactions need to undergo SCA periodically — every five transactions under €30 must undergo SCA, as must an order once the cumulative value of low-value transaction reaches €100.

Or consider allow-listing. First off, a consumer needs to be aware there is such a thing. A merchant might add a notice at checkout suggesting, “If you like shopping with us, ask your issuing bank to allow-list our store.” All of which leaves a consumer saying, “Ask my what to do what now?”

And even if consumer consciousness-raising is a success, think about the bank that issued the consumer’s credit card. By agreeing to allow-list a merchant, the bank takes on liability for any fraudulent orders. So in one stroke, the bank allows the order to bypass increased scrutiny and agrees to be on the hook for orders that are not legitimate. That’s not a lot of incentive, to put it mildly.

None of which is to say that exemptions should be ignored. Exemptions are a powerful way to provide a seamless experience for customers. When an exemption is approved, the customer doesn’t have to worry about the transaction being stepped up by requiring two of the three SCA authentication methods. And so, retailers want to be in a position to take advantage of exemptions.

One thing that quickly becomes obvious when planning a robust exemption and exclusion strategy is that the starting point for taking advantage of SCA exemptions is to ensure that your enterprise is a solid citizen when it comes to preventing fraudulent sales. Take the most obvious case: In order to take full advantage of the low-risk transaction exemption, a merchant needs to keep its fraud rate below an exceedingly low .01%. That clears the way for purchases under €500. Exemptions for purchases under €250 and under €100 are also available for merchants with fraud rates of .06% and .13% respectively.

It’s important, then, to include a powerful fraud protection solution in your overall SCA strategy. A low fraud rate is vital to securing exemptions and exemptions are vital to producing a top-flight customer experience.

Embracing a modern machine-learning fraud solution that sifts fraudulent from legitimate orders in an instant while seamlessly scaling does far more for a merchant than simply ensuring it can use exemptions. Yes, doing away with SCA is one of the best things about exemptions, but it is also one of the worst things about exemptions. Sure, an exemption eliminates the potential friction added to the buying journey by two-factor authentication, but an exemption also sidelines the extra protection that step-ups provide an online seller.

A constantly learning automated fraud solution with a financial guarantee provides the protection needed to ensure good orders are shipped and fraudulent orders are declined.

Merchants and brands will want to be able to confidently pursue an aggressive exemption strategy without worrying about new vulnerabilities that fraud rings will look to exploit. Consider the irony of working so hard to maintain a low fraud rate in order to take advantage of exemptions, only to have those exemptions ultimately lead to a higher fraud rate.

As with many things in commerce, it’s best to take a holistic view when you’re considering how SCA and its exemptions fit into your entire risk management plan.

 

Business

Four ways traders can manage risk

Published

on

By Dáire Ferguson, CEO at AvaTrade

 

Understanding the markets in which you are trading is incredibly important to optimising profit, as well as manging risk and loss. While trading can be incredibly lucrative, it can often be difficult to judge which way the market will move – especially when executing shorter-term traders, where unknown factors can cause unexpected movements. Being aware of the risks is vital to avoid unnecessary losses and to optimise the trading experience.

Dáire Ferguson

There are several techniques that can be employed to make sure the risks associated with trading are controlled, rendering the trading experience smoother and more enjoyable. From beginners to experts, having these tactics in your arsenal will enable traders to be savvier, and more confident.

 

Understanding the risks

To really be able to manage risk, it is imperative to understand the two types of trading risks.

 

Leverage

Leverage is where traders stake only a percentage of the value of the underlying asset they wish to trade on but accept exposure to the full value of the profit and loss that comes with the asset’s price changes. This enables traders to take sizeable positions for comparatively less trading capital, thus providing an opening for big wins and substantial rewards.

However, with this comes the risk of similarly significant losses. As an example, if a trader opens a £100 trade on an asset worth £1,000, using leverage of 10:1, this means that if the assets value increase by 10 per cent, the trader’s money will be doubled. But if it drops by just 10 per cent, the trader will lose all their stake. This balance of high risk and high reward necessitates careful management. Leveraging typically applies to purchasing and trading contracts for difference (CFDs).

Volatility

Volatility is characterised by unexpected fluctuations in the prices of assets and is defined as the rate at which pricing rises or falls given a particular set of returns. Volatility applies to all assets, but the regularity and size of price changes differs hugely across different asset groups. In fact, in some markets, volatility is actually predictable. The cryptocurrency market is well known for its fluctuations, characterised by frequent and, often, significant changes in price.

There are scenarios in which volatility can be desirable for some traders as it fosters greater profit margins. However, it also sharply increases the potential for large losses. Nevertheless, there are a number of ways to spot incoming market fluctuations. These include economic volatility, geopolitical tensions, and changing policies.

 

Managing the risks

 

Choose the right broker

So, what can traders to do manage these risks? The first step is to choose the right broker. Having the right broker can go a long way to limiting the risks that come with trading, including managing counterparty risk. For example, when you purchase CFDs, you are purchasing a contract with a broker – not the asset itself. Therefore, traders must be 100 per cent certain in the knowledge that the broker they’ve chosen to operate with is capable of making good on the value of that contract.

Traders who are just starting out on their trading journey should look to open a trading account with an established name that is well regulated in a variety of jurisdictions. Higher-quality brokers will generally have a wider range of risk management tools and offer better features, which will allow traders to manage the buying and selling of assets in a better, more sophisticated manner.

 

Take out protection on riskier trades

For new traders, or those who are looking for extra support, it is worth considering taking out protection against losses for a set period of time. Certain brokers offer risk management tools that provide thorough protection against such losses. These tools generally require just a small fee, not unlike the premium on an insurance policy. These risk management tools allow users to stay in the trade, riding out any short-term drops in value and benefitting from a positive overall momentum of the position. Therefore, if the market moves in a different direction to what was originally expected, users only lose the cost of purchasing the protection and can recover their losses.

 

Set-up stop-loss orders

Another form of protection against losses is through a stop-loss order. This is an instruction that is executed automatically when certain conditions are met. Therefore, stopping losses from falling below a certain point, and setting a limit on how much an investor can lose on a trade. In the case of a stop-loss order, the position is sold at a predetermined rate – below the current market price for a long position, or above the current market price for a short position.

Stop-loss orders remove the user from the trade at a set price drop. In comparison, risk management tools allow the user to ride out any short-term drops in value, with the potential to benefit from a positive overall momentum of the position.

 

Manage the capital-to-trade ratio

One simple way traders can reduce the risk of accumulating excessive losses is to keep their capital-to-trade ratio under control. This is the amount of capital left exposed to losses in trades compared to the total amount of capital traders have available to themselves.

A sensible rule for traders to follow is to not exceed a capital-to-trade ratio of 10 per cent, and not to risk more than two per cent of the overall capital on a single trade. This doesn’t mean always taking very small positions – it means traders should hedge their risks on whatever positions they choose to take.

It is important that before traders even begin to trade, they make sure that they understand the risks they face. Once they have taken the time to do that, they can begin to contemplate these four ways to manage those risks and then start trading. This is an exciting time to be entering the world of trading, and these considerations should ensure that the trading experience is as enjoyable and profitable as possible.

 

 

 

Continue Reading

Business

Out of office, home and away, moving up, moving on; when security goes AWOL

Published

on

By

Steve Bradford, Senior Vice President EMEA, SailPoint 

 

The financial services industry has one of the highest rates of insider data breaches, costing on average $21.25 million in the past year alone. Whether it’s an employee acting with malicious intent, or through accidental data mishandling, staff have access to sensitive information and systems that make them a constant vulnerability. And this threat only escalates when staff go on the move.

With the summer holiday season upon us, thoughts will be turning to well-deserved time off, travel and downtime. However, for many, especially in the financial industry, the notion of waiting until the summer months to sample a new life was not feasible. In the period following Covid, the industry has suffered at the hands of the Great Resignation as burnt-out employees left for new roles. As a result, research from PwC suggests that financial services leaders have had to prioritise employee retention amid the swathes of staff exiting.

This exodus is not just a threat to the workforce itself. It also results in greater threats to resilience, security and compliance. Ensuring that the doors to the organisation’s data are appropriately locked behind them is vital whenever employees are on the move. When a staff member leaves a bank or financial institution, security leaders must ensure they have not inadvertently handed over the keys to the safe as a leaving present. Revoking any and all access and privileges to company data must be a priority.

 

Don’t leave the door ajar 

Disorganised, ill-managed and manually-processed access requirements and identity management protocols are an open invite for security breaches.

However, it is not just those leaving for good that pose a threat. Recently promoted your long-serving payroll manager to a longed-for role in financial oversight? That positive move could result in entitlement creep, where the permissions to data, apps, information and systems she enjoyed in payroll follow her to her new home.

Permission creepers are those staff who collect permissions and access rights as they go through their career, picking up credentials to systems and data as they go. Of course, to restrict the opportunities for hacking, insider threat or illegal or incompliant activity, permissions should only be granted when relevant and required for an individual’s job. However, too many companies allow permissions to creep by not taking a proactive approach to access. This can result in toxic permissions combinations, where employees are granted inappropriate access to the systems, making fraud and error far more likely.

Even a simple summer holiday can provide an open-door opportunity. We are all conscious about signaling to would-be home burglars that we are going away on holiday, and we will take steps to protect our property in our absence. The same principle applies to businesses with staff out of the office on vacation – potentially logging in from insecure locations or signaling to cybercriminals that their attention is elsewhere.

The results of leaving the door ajar are costly. According to the IBM Cost of a Data Breach Report 2021, the average cost of a data breach in the financial sector is $5.72 million.

Permissions creep, unrevoked access and unmanaged identity provide the perfect conditions for the insider threat to propagate. As Gaurav Deep Singh Johar, of the Information Systems Audit and Control Association explained, “While these challenges are present in any institution, insider threats pose a greater risk for banks. There is a big reputational impact, thanks in part to increasing regulatory oversight.”

 

Don’t let permissions security set sail into the sunset

Financial organisations are complex landscapes, with labyrinthine corporate structures and siloes that cast a dark shadow over access and identity visibility. However, identity security technology is moving fast. Now, automated systems powered by AI and machine learning mean that permissions can be automated and access granted on a need-to-know basis, based on individuals’ employment status, roles, and responsibilities.

An automated system will quickly track down and disable ex-employees’ accounts and automatically halt permissions creep as employees move about the organisation.

The same technology can now also be even more diligent than that, monitoring access requirements based on any change in the workforce, like people being out of the office.

The evolving variety and fluctuating workforce mean that the insider threat can only be met with automated, streamlined identity security that moves as quickly as employees themselves. Without intelligent, streamlined identity governance, banks cannot ensure they are in a state of compliance, nor ensure cybersecurity in real-time. They also miss out on opportunities to improve operational efficiency and reduce the risk of fraud and error. Automation also ensures the accuracy and completeness of data sets so critical for keeping on top of compliance and delivering critical services.

As financial workforces are on the move, home and away and to pastures new, now is the time for banks to give identity security its time in the sun. Do not let shifting sands collapse the walls around you. Wherever your employees are coming from and going to, robust security and sustained compliance start with automated identity management.

 

Continue Reading

Magazine

Trending

Business20 hours ago

Four ways traders can manage risk

By Dáire Ferguson, CEO at AvaTrade   Understanding the markets in which you are trading is incredibly important to optimising...

Top 101 day ago

Pro Tips To Consider Before You Decide To Refinance Your Vacation

Refinancing debt is when you attempt to apply for a new loan or debt instrument. The goal is to get...

Finance1 day ago

The Rise of the Modern CFO: A Leader for the Information Age

Adam Zoucha, Managing Director, FloQast EMEA   Financial management is one of the oldest professions in the world, and for...

Business1 day ago

Out of office, home and away, moving up, moving on; when security goes AWOL

Steve Bradford, Senior Vice President EMEA, SailPoint    The financial services industry has one of the highest rates of insider...

Top 101 day ago

Looking to the future: How the insurance sector can meet new customer demands

By James Harrison, Head of Insurance at Dun & Bradstreet   It’s been over two years since the pandemic began,...

Business1 day ago

How IT optimisation can reduce costs and increase efficiency for businesses

by Alan Hayward, Sales and Marketing Manager, SEH Technology   In today’s digital world, business success is centred around technology....

The data literacy gap The data literacy gap
Business1 day ago

How Strong Customer Authentication can Prevent Cart Abandonment

Sham Careem, Telecom Solutions Consultant, Infobip   In 2020-21, UK residents and businesses lost over £2.5bn to fraud and cyber-crime....

News1 day ago

OneID® is now a certified Digital Identity Service Provider (ISP) under the UK Digital Identity & Attributes Trust Framework (DIATF)

OneID® is now a certified Digital Identity Service Provider (ISP) under the UK Digital Identity & Attributes Trust Framework (DIATF)...

News1 day ago

Lack of corporate disclosures forces asset managers to cast a wide net for ESG data

Buy-side financial services firms using an average of close to ten ESG sources today   More than seven out of...

Business1 day ago

Why mid-sized businesses are the driving force behind global B2B payment innovation

By Spencer Hanlon, Head of Europe, Nium   Change is coming to global B2B payments, and it is being heavily...

Business2 days ago

Finance brands need a new approach in the Privacy-first era

By Richard Wheaton, UK MD of global data company fifty-five   Trust is a brand value that pertains to every...

Finance2 days ago

Why You Should Work on Your Financial Literacy

Ebo Aneju   A lack of financial understanding plagues our society. Most people have very little understanding of finances, which...

Business3 days ago

A new beginning for financial services B2B marketing

Michael Richards, Managing Director, alan agency   Financial services B2B marketing is dead. A bold statement with B2B ad spend...

Finance3 days ago

Boosting Blockchain Security with Graph Technology

Dan McGary is Senior Sales Executive for Mid-Market Enterprise East at graph database leader Neo4j   As blockchain-backed cryptocurrencies become...

Business3 days ago

Need a business broadband package? Here’s what you need to know

Author: Kerry Fawcett, Digital Director at Radius Payment Solutions   Does your business have a broadband supply that is speedy,...

Finance3 days ago

Double and triple extortion tactics cornering financial services organisations

By Ian Wood, Senior Director and Head of Technology, UK&I at Veritas Technologies   Ransomware continues to keep those in...

Banking3 days ago

How are Variable Recurring Payments set to revolutionise the future of banking?

Sean Devaney, Vice President of Banking and Financial Markets at CGI UK   The adoption of Variable Recurring Payments (VRP)...

Top 103 days ago

Energy Storage Represents Latest Investment Opportunity in the Clean Energy Transition

Alan Greenshields, Director of Europe, ESS Inc.  The ongoing transition to clean energy has spurred new technologies, new markets and...

Business4 days ago

Innovate UK £25 million up for grabs: July deadline approaching

By Emma Lewis, Myriad Associates   The latest instalment of Innovate UK’s SMART grant competition was launched in April and...

Business4 days ago

Is telephone Hot Desking really needed anymore?

By Simon Horton, VP of International Sales at Sangoma   The world of work has totally transformed as we all...

Trending