1 May 2020
The Financial Conduct Authority (FCA) in the UK has extended the deadline for implementation of strong customer authentication rules by six months. The deadline is now 14 September 2021.
Other regulators across Europe are expected to make similar moves.
From 14 September 2021, financial institutions must ensure that customers are completing strong customer authentication (SCA) before they carry out online processes, as set out in the EU Revised Directive on Payment Services (PSD2).
These processes include:
Strong customer authentication requires a customer to complete a multi-factor process to verify their identity. Multi-factor authentication requires two or more of the following elements:
The two factors also need to be independent of each other. For example, if a customer authenticates via voice on their mobile phone as the first factor, and then the bank sends a one time password (OTP) to that same device for the second factor, this could potentially present a risk. The two factors use the same channel or band, so if that channel – in this case the mobile phone – had been compromised, both the instruction and the security verification are being sent to an individual who now controls the compromised device. This must be avoided according to the recommendations.
Usability vs Security: half of consumers have abandoned online transactions
The challenge for banks is selecting the right balance of security with ease of use. Security is critical, but if systems are hard to access then banks face higher drop-off rates, increased loss of customers to competitors, and the brand impact of being seen as difficult to use.
Drop-off rates and loss of customers are very real concerns. A recent iProov study found that almost half of consumers in the US and UK have abandoned an online purchase because the security process took too long – and those aged 18-44 are more likely to have done so.
With iProov, strong customer authentication is simple and secure. The iProov facial biometric authentication can replace passwords, or it can be used as the second factor as detailed in the two examples below:
How to enable strong customer authentication/SCA on mobile devices with iProov:
How to simplify strong customer authentication/SCA on web browsers with iProov
iProov Web offers the significant advantage of allowing strong customer authentication to be completed on a desktop or laptop without the need for a mobile device.