1 May 2020
The Financial Conduct Authority (FCA) in the UK has extended the deadline for implementation of Strong Customer Authentication (SCA) rules by six months. The deadline is now 14 September 2021.
Other regulators across Europe are expected to make similar moves.
From 14 September 2021, financial institutions must ensure that customers are completing SCA before they carry out online processes, as set out in the EU Revised Directive on Payment Services (PSD2).
These processes include:
Strong Customer Authentication is the process required by banks and electronic payment providers to verify the identity of their customers online. These rules were introduced in 2019 and aim to enhance security and prevent fraud. SCA does not just apply to banks: the entire e-commerce industry must comply by the 14th September 2021, too.
But how does it actually work?
Strong Customer Authentication means that payment service providers must require customers to use a multi-factor authentication process for payments and verifying their identity online.
Multi-factor authentication requires two or more of the following elements:
The two factors also need to be independent of each other. For example, if a customer authenticates via voice on their mobile phone as the first factor, and then the bank sends a one-time password (OTP) to that same device for the second factor, this could potentially present a risk. The two factors use the same channel or band, so if that channel—in this case the mobile phone—had been compromised, both the instruction and the security verification are being sent to an individual who now controls the compromised device. This must be avoided according to the recommendations.
Did you know, half of consumers have abandoned online transactions?
The challenge for banks is selecting the right balance of security with ease of use. Security is critical, but if systems are hard to access then banks face higher drop-off rates, increased loss of customers to competitors, and the brand impact of being seen as difficult to use.
Drop-off rates and loss of customers are very real concerns. A recent iProov study found that almost half of consumers in the US and UK have abandoned an online purchase because the security process took too long—and those aged 18-44 are more likely to have done so.
With iProov, Strong Customer Authentication is automated, fast, simple, and secure. We work with organizations such as online-only challenger bank Knab to provide SCA to its 500,000+ customers. All customers that open an account with Knab are authenticated by iProov’s cloud-based, device-independent face biometric technology.
Knab bank uses iProov authentication (Something a person is) along with a PIN (something the person knows) as part of their process to comply with SCA requirements and other regulations such as Know Your Customer (KYC). You can read more about iProov’s work with Knab here.
The iProov facial biometric authentication can replace passwords, or it can be used as the second factor as detailed in the two examples below.
iProov Web offers the significant advantage of allowing strong customer authentication to be completed on a desktop or laptop without the need for a mobile device.