Strong Customer Authentication

What is the issue?

As of 14 September 2019 a new online verification system was due to come into force under the Payment Services Directive 2 (“PSD2”). The purpose of the system is to make online shopping easier, safer and more importantly reduce fraud.

This process of verification has brought about a challenge of trying to implement a pragmatic process to verification, in particular in relation to vulnerable customers. Those challenges of verification have only increased in the COVID-19 era.

How do you comply?

The new online system (referred to as Strong Customer Authentication “SCA”) will require a two-stage verification process and applies to banks, electronic money institutions and other payment service providers (together, “PSPs”)

To accept payments and meet SCA requirements PSPs will need to use at least two of the of the following three elements:

1. Something the customer knows (i.e. password or pin).
2. Something the customer has (e.g. phone or hardware token).
3. Something the customer is (i.e. fingerprint, facial or voice recognition).

SCA applies to ‘customer-initiated’ online payments within Europe with the result that most card payments and bank transfers will require SCA. There are some exceptions such as low value transactions (approximately £28) but on the whole, SCA will be required.

Implementation

It is fair to say that the implementation of SCA has presented challenges for many businesses struggling with the technological aspect and indeed, some being unaware of the regulations themselves.

The result of this challenge a ‘Dear CEO’ letter was issued by the FCA in August 2019 confirming that whilst the regulations came into force on 14 September 2019 that they would not take any enforcement action against any PSPs who have not met the requirements of SCA until March 2021.

Interestingly within the same letter the FCA has highlighted a significant concern regarding ‘vulnerable’ and digitally excluded customers. For the digitally savvy among us the using our mobile phones to get a one-time passcode is an easy fix, however, for those of that do not have mobile phones, are vulnerable or live in a mobile black spot it becomes a more pressing issue.

Reliance on Mobile Phones

The FCA has noted that not everyone has a mobile phone and as such they expect firms to be able to provide a viable means for authenticating these customers. It is certainly reassuring that this issue has been highlighted but no real solution has been offered by the FCA.

Even those with a mobile phone that live in a network black spot could find themselves being unable to undertake transactions and as such there has to be more than one option for each customer so that they are not forced to attend or call their bank to complete online security checks.

The FCA Update of 31 March 2020

With the advent of Covid-19 everyone is suddenly finding themselves catapulted into a new reality and having to find new ways of undertaking things that were previously straightforward. The FCA is no different.

Some PSP’s were struggling to comply with SCA prior to this pandemic and it has been recognised by the FCA that with the population on lockdown that SCA will also be more difficult to implement. This coupled with the fact that the amount of online transactions will now increase has led the FCA to update their web page on SCA adding in an entirely new section relation to Covid-19 on the 31 March 2020. A link to the web page can be found here: https://www.fca.org.uk/firms/strong-customer-authentication 

Within this update they have stated that they expect that the current challenges are likely to affect the planned implementation of SCA and that they will work closely with the industry to agree any changes to milestones and timelines that may be needed. 

In addition they have confirmed that they will consider PSP’s that have not met the deadline of 14 March 2021 for the implementation of SCA due to coronavirus on a case by case basis.

As many PSPs will be aware it has been advised that were possible that contactless be used as payment due to the decreased risk of onward transmission of the virus and that there has been an initiative to increase the contactless limit. Ordinarily SCA would apply to contactless transactions where:

• There have been five contactless transactions in a row: or
• The cumulative value of transaction value has exceeded £131(approx.)

The FCA have confirmed in their update that they are ‘very unlikely’ to take enforcement action but this is only as long as the PSP sufficiently mitigates the risk of unauthorised transactions and fraud by having the necessary fraud monitoring tool and systems in place and taking swift action.

This update has no doubt come as welcome news to many firms who now find themselves in financial distress due to the impact of Covid-19 on the economy.

Types of Vulnerability

There are a wide range of customers who could be classed as vulnerable, even more so in the current times. The FCA themselves appreciate that vulnerability can come in many different guises. It can be temporary, sporadic or permanent in nature and there is not a one size fits all solution.

Some of the issues that PSPs should be aware of when considering SCA in terms of vulnerability are:

• Literacy and numeracy (one in seven adults have the literacy skills of a child aged 11 or below and just under half of all UK adults have a numeracy attainment of age 11 or below).
• Over 1.4 million people in the UK are aged 84 and over and many do not have a mobile phone or use the internet infrequently. They often heavily rely on their local branch.
• Struggling with an illness that effects your faculties such as dementia. 
• Struggling with an illness which effects your mobility.
• Mental illness.
• People who have had to self-isolate due to Covid-19, especially the elderly as mentioned above who can no longer visit their local branch.

The first issue will be identifying these customers and then offering a solution that works for them. 

Most financial businesses will have risk assessments in place to identify vulnerable customers already, however, solutions for the SCA conundrum still remain hazy at best. 

Solutions

The slickest and most secure form of two -factor identification are encrypted push notifications sent to your mobile phone through push notifications via the banks mobile phone app. 

1. They will confirm the transaction, amount and payee and are authorised by fingerprint or other biometrics.
2. Banks can also send a one-time only passcode by text or email which must be entered online to complete the transaction.
3. Banks can also use an automated service to call the customers landlines to provide a one-time only passcode to be entered online. 
4. If banks do not provide an automated service, then the onus falls on the customer to call the bank every time that they make an online transaction and obtain a passcode. This could be both confusing and time consuming for customers – especially those who are classed as vulnerable.
5. Use of a ‘pin sentry’ device. This may be the most practical solution for vulnerable customers and those in mobile phone black spots. A device can be provided to the customer which will generate a one-time passcode to input online.
6. Some banks are considering allowing customers to ‘Whitelist’ a merchant that they trust. They can request to have the trusted merchant to be added to his/her record after the first authentication is completed.

It remains unclear what solutions will be considered best and utilised by PSPs. The industry wants to avoid online transactions being abandoned due to people not receiving a passcode or being confused by the extra layer of security. With the deadline looming (which may well be extended given the current events), sensible and pragmatic solutions must be found in order to ensure that the most vulnerable amongst us are not excluded from being able to undertake online transactions.

Contact: If your organisation requires advice on how to approach compliance with the SCA rules, in particular relating to vulnerable customers, please do get in touch.