Frederik Mennes, Director of Product Security, Security Competence Center, OneSpan
Security is hot on the agenda for banks and financial institutions. Breaches and fraud are becoming commonplace, and cyber-criminals are continuing to look for new and innovative ways to exploit vulnerabilities. Pressure is also coming from customers and regulators, who have increasingly high expectations that companies are keeping data secure, especially financial. Indeed, the banking industry is one of the most heavily regulated across the world, and in the EU, the 14 September deadline for PSD2 is fast approaching.
The Strong Customer Authentication (SCA) rules, as part of PSD2, are intended to enhance the security of e-commerce payments and limit fraud. Once SCA comes into effect, customers purchasing more than €30 worth of items will be required to be authenticated by two out of three elements: something the customer knows (PIN, password, security question), something the customer has (a device), and/or something the customer is (biometric data such as fingerprints, or facial recognition).
With some banks choosing to opt for mobile phone verification as one of the options, concerns were raised that almost a third of online purchases could fail, and thousands of UK customers could be frozen out of online shopping if they don’t own a mobile phone or can’t access signal. Subsequently, the FCA recently delayed the introduction of SCA for e-commerce payments by up to 18 months.
Banks are now faced with the challenge of meeting the SCA regulations surrounding authentication, while also providing a seamless user experience, and meeting customer expectations.
Here are three ways to overcome challenges with SCA regulations.
Adopt intelligent adaptive technologies
One way they can achieve this is by adopting intelligent authentication technology. These are powered by AI and machine learning, and assess the risk level of a transaction based on vast and disparate data, including transaction details, customer behavior, the integrity of the device and mobile apps, and other contextual data points. This information is then used to determine what level of authentication is required. Crucially for SCA, intelligent authentication isn’t limited to one or two methods, such as a PIN and mobile phone text. A range of authentication methods can be employed depending on the situation.
For example, if a customer tries to make a large clothes purchase online, but doesn’t have mobile phone signal, instead of being required to enter a PIN and a one time PIN via push notification or mobile appthey could use a fingerprint instead. Or, if the customer doesn’t have access to a mobile phone at all, the bank could phone the customer on their landline, providing an automated code for them to enter.
Crucially, by adopting intelligent authentication banks will be able to comply with the SCA rules of authentication by two different elements, without limiting customers to certain authentication methods that might not be convenient, such as a mobile phone text verification.
Fight fraud with risk-based security
As well as ensuring banks are compliant with SCA regulations, intelligent authentication is also a key solution for helping banks drive down fraud. Fraud cost banks £1.2 billion in 2018, and new incidents of financial fraud were being reported every 15 seconds during the year, making it a top priority. With money, customers, and reputation on the line, banks need to ensure they’re making necessary changes to combat fraud.
However, it’s increasingly difficult to identify fraud across multiple digital channels. To stay ahead banks need to take a risk-based, context aware approach to security, including authentication. With intelligent authentication, the risk of a situation is determined and authentication levels adjusted accordingly.
For example, if a customer tries to make a larger than usual payment, from an untrusted device, in an uncommon location, it is more likely to be an attempt at fraud. However, people don’t live in boxes, or behave the same way all the time, and it’s entirely possible that the payment attempt is genuine.
Therefore, instead of denying the transaction, resulting in potentially unnecessary frustration, intelligent authentication challenges the customer accordingly. Instead of only asking the customer to present a passcode as authentication, because the transaction is unusual, additional authentication is required, such as a fingerprint.
Intelligent authentication is a great example of banks being able to take advantage of emerging technologies to identify and prevent fraud, without compromising the user experience.
Balance security and the experience
The banking landscape is shifting rapidly, with advances in technology and the rise of challenger banks. Customers are demanding more from their banks, and expect a fully digital and seamless experience at all touch points, whether that’s purchasing an item online, or taking out a loan.
At the same time, regulations are placing far more importance on security than ever before, and with the relentless threat of fraud and cyber-attacks hanging over banks, ensuring their customers are secure needs to be a top priority.
Consumers don’t want to see or pay for security anymore; it’s just expected. Intelligent authentication is one way banks and financial institutions can deliver the dream of a secure and seamless banking experience while also remaining compliant with regulations such as SCA.