Learning to ❤️ My PIN
Many European banks are grappling with how to comply with the requirements of the Regulatory Technical Standards for Strong Consumer Authentication (RTS-SCA). Published by the European Banking Authority (EBA) in March 2018, and coming into force in September 2019, this regulation mandates a fundamental shift from traditional authentication techniques (e.g. passwords, memorable questions and, even the more modern, One Time Passcodes) to what is called Strong Consumer Authentication (SCA) that comprises of two of the following three types of authentication; knowledge (something that the consumer knows), possession (something they have) and inherence (something they are).
Balancing Security with Convenience
Not only is the type of authentication changing, and becoming more complex, the scope where this authentication method must be used is expanding. Currently, many banks have deployed sophisticated risk assessment tools that are capable of very effectively separating fraudulent transactions from legitimate ones. Given that any interruption to the consumer’s transaction can lead to a poor consumer experience, increased costs for the bank and the potential for reduced sales volumes to merchants, it is in everyone’s interests to keep the percentage of transactions being authenticated at the lowest possible level whilst still protecting consumers from fraudsters. For some banks, the use of very sophisticated tools by highly skilled staff allows them to safely allow over 95% of eCommerce transactions flow without interrupting the cardholder’s shopping experience. The RTS-SCA will remove much of the freedom that banks currently possess when designing & implementing their fraud mitigation strategy and it is very likely that the percentage of transactions requiring authentication will be significantly higher than it is today. The exact rates will vary between banks but, it is likely that at least 30-50% of transactions will now need authentication; which, for some consumers, may manifest as 10x increase on today.
Another confounding factor is that it is likely that consumers may experience different types of authentication as they interact with their banks in different channels; for example, having to use an OTP delivered via SMS for an eCommerce transaction vs. a username, password & a different OTP when accessing online banking vs. using a biometric (commonly a fingerprint scan) when accessing a mobile banking application. After having spent years helping banks comply with the authentication requirements for eCommerce, experience suggests that few banks are deliberately choosing to have a different customer experience for each of the channels but it is being forced upon them from a combination of internal IT challenges and the demographic of their customer base.
In summary, this means that the immediate impact RTS-SCA for many consumers will be to increase the amount of friction that they experience when they shopping online or interacting with their bank through a digital channel.
Streamlining the Sharing of Data with Open Banking
In contrast to the above, the Open Banking revolution offers consumers unparalleled opportunities to share their most precious banking information with an huge variety of third-party organisations for everything from, receiving alerts when cheaper mortgage deals become available to getting personalised financial advice on how best to manage their money.
While consumers will still have to undergo their bank’s SCA procedures when they first connect a new third-party service to their bank account, and renew that connection periodically, the mere possibilities of these new connections are likely to cause confusion in consumers. They will be receiving messages from different parts of the industry with diametrically opposed views; they will find themselves being prompted to authenticate themselves 10x more frequently when shopping online but also receiving marketing messages from banks & third-party providers saying that it’s never been easier to share their financial data. To some, the mere name ‘Open Banking’ breeds nervousness and, for both initiatives to succeed, consistent messages should be shared by all parties as any area of confusion risks being exploited by fraudsters.
I ♥️ PIN
When speaking to the industry about consumer education, there were mixed views as to where the responsibility lay and, sadly, most organisations felt that it lay somewhere else.
Changes of this magnitude do not come along frequently. The last industry-wide change of this scale was the UK’s adoption of ‘Chip & PIN’ payment cards which was brilliantly marketed as ‘I ♥️ PIN’ with a launch date Valentine’s Day 2006.
Another good example, from the transport sector, is the ‘See it, say it, sorted.’ campaign to raise travellers’ awareness of how to deal with suspicious packages. It’s literally impossible to spend any time on a train or in a station without having this message drilled into you from posters and announcements over the PA system.
I’d love to see an ‘I ♥️ Open Banking’ awareness campaign rolled out with consistent messaging from all parties highlighting the exciting opportunities that Open Banking will bring and positioning SCA as a necessary evil required to secure the ecosystem.