The concept of open banking lies in the co-existence of banks and emerging Fintech firms. Together, they could bring about new possibilities for creating a customer-centric financial ecosystem. Banks and financial institutions will make use of the vast customer data to offer a series of services related to investment, loans, and most importantly payments. However, to reach that stage, the security of customer data is a major challenge.
PSD2 is the EU’s directive designed to open up access to customer’s bank accounts and information to third-party providers (TPPs) through open APIs. The main objective of the directive is to enhance competition, facilitate innovation in banking services, and protect consumer data.
PSD2 has introduced the concept of Strong Customer Authentication (SCA) or two-factor authentication to enhance transaction security and customer experience in digital payments.
What is Strong Customer Authentication (SCA)?
SCA or Strong Customer Authentication is a European regulation under RTS (Regulatory Technical Standards) in PSD2 to reduce frauds and make online payments more secure. The regulation will go into effect on 14th September 2019 to make customer-initiated online payments more secure in the European Economic Area (EEA). After RTS came into force, every transaction will be authenticated by at least two of the three possible factors:
- Inherence: something the user is, such as a fingerprint or an iris scan.
- Possession: something only the user has, such as a token or a card.
- Knowledge: something only the user knows, such as a PIN or a password.
After SCA comes into effect, all banks and payment service providers (PSPs) in EEA will have to comply with its safety regulations. Every customer-initiated payment will have to pass additional information about the customer to their payments provider. Payments without this additional authentication will be declined by the cardholder’s bank.
Exceptions to SCA
SCA will come into force to regulate every online payment happening in EEA. However, there are some cases where payment service providers can operate without SCA. Here are some examples of low-risk payments that are exempted:
- Transactions below €30 will be considered “low value” and may be exempted from SCA until the sum of exempted payments exceed €100.
- A series of recurring payments of the same amount to the same business such as a loan EMI. In this case, only the first transaction will come under SCA.
- Payment with saved cards where the customer is not present while checking out. The transaction, in this case, will be considered as merchant-initiated transaction hence exempted.
- When a payment is done to “trusted beneficiaries.” The customer can whitelist a business they trust and avoid SCA for future purchases.
- Corporate payments are exempted.
Although exemptions are present there, banks reserve the rights of whether to accept an exemption. In such a case, the payments need to be submitted again with two authentication factors to be compliant with SCA.
Impact of SCA on Banks and TPPs
Banks have identified various ways to make transactions more secure by connecting user biometrics with their devices. But a growing number of frauds and authentication failures have raised concerns over security. After SCA, banks will be forced to provide strong and multi-factor authentication to enhance online payment security for consumers. It will also apply even when a customer accesses his or her payment account online.
Similarly, payment service providers must comply with SCA to offer a seamless and secure payment service to consumers. Also, it will also be crucial for them to strike the right balance between customer experience and payment security. It will help to smoothen the path to SCA.
Opportunities for all
PSD2 is a consumer-centric directive that should lead to a competitive environment enhancing the overall user experience. New partnerships and open banking APIs with right security standards brought by SCA could generate immense value for banks, Fintech firms, and consumers. PSPs will be able to offer a consistent payment services across multiple platforms. With two-factor authentication, all this could be done without compromising on security for consumer’s data.
While the principles related to new security rules are going to be mandatory for all banking and non-banking institutions, many participants still doubt about its implementation and robustness. One of the concerns is to maintaining a healthy balance between security and usability. But, it’s only a matter of challenges. This evolving environment has an immense potential to lead to an explosion of innovation, competition and new services.
