EU’s Strong Customer Authentication comes into force

Woman shopping online

Financial institutions must, from 14 March, abide by the Financial Conduct Authority (FCA) deadline for implementing Strong Customer Authentication (SCA) procedures for online banking.

The Second Payment Services Directive (PSD2) effort by the European Union (EU) to standardise security procedures, which came into force on 14 September last year, is approaching the end of the six-month delay enforced by the FCA.

For e-commerce transactions, the changes will in effect come into force from March 2021, which means an 18-month implementation window.

Banks and other financial entities in the UK, by Saturday, will be expected to fully comply with the regulations, which involves implementing additional verification checks for online banking customers, such as multifactor authentication (MFA).

The changes mean that customers will no longer be able to checkout online using just credit or debit card details, with an additional form of verifiable ID also required. It’s been heralded as an important step to improve security around financial transactions, but businesses may fear the customer experience disruption that an additional check may lead to.

“Ever-rising fraud levels are linked to the consumer preference of mobile e-commerce, forcing regulation to keep pace with innovation,” said CEO of Veridium James Stickland.

“Businesses have had an extended period of six months, in addition to the two years since the initial announcement, and there is no legitimate reason not to be compliant. A failure to integrate Strong Customer Authentication demonstrates a disregard for consumer protection - it should have been prioritised long ago and viewed as a business differentiator.”

Although there will be benefits in terms of security, detractors of the regulation worry about the effect it can have on consumer behaviour, and serve as a barrier to business. Stickland suggests these assumptions are false, however, because consumers will value the sense of confidence that their financial information and payments are safe when making transactions.

“While the primary purpose of this regulation has been to check large-scale online fraud, many have raised concerns that SCA will lead to poor customer experience,” said Venkatesh Varadarajan, a partner in financial services at Infosys Consulting.

“There will be a significant increase in online transactions that will need a ‘step-up’ in authentication. Many retailers don’t have fond memories of the technology around 3D Secure that led to poor customer experience and high shopping basket abandonment rates.”

Among the wider concerns are that the ecosystem and infrastructure aren’t fully ready for SCA, mainly due to past concerns, as well as the lack of knowledge about options available to financial institutions.

“In terms of solutions, there are newer technologies available, like 3D Secure 2, which addresses some of the concerns,” Varadarajan continued. “Retailers and payments firms must explore their options to strike the right balance between managing fraud risks and minimising disruption for customers.

“Some good practices already exist. Both Apple Pay and Google Pay already use two-factor authentication, using a password, fingerprint, or face-scanning technology - as well as card details - to authenticate a customer making a purchase.

“The final critical piece is communicating the benefits of this new approach to consumers, highlighting how it enhances security and reduces fraud. With these levers and a planned approach, the ecosystem can ensure readiness for the regulation within the March 2021 timeframe.”

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.