Last updated: 18 October 2017
Banks around Europe are scrambling to get ready to follow the PSD2 directive. Starting in H2 2019, they must adhere to the Regulatory Technical Standards (RTS), which provide technical guidelines from the European Banking Authority for PSD2 compliance.
Yet, even outside of Europe, banks should take heed because PSD2 helps to fight fraud by pumping up on security.
In fact, PSD2 requires banks to implement Strong Customer Authentication (SCA). Basically, this means that they must check that users are who they claim they are through two of three independent factors: something they know (e.g. a password), something they own (e.g. a token), and something they are (e.g. their fingerprint). This extra measure of security helps to fight fraud – but it also brings an extra step in the online process, making the user experience less smooth.
Reconciling security and convenience
So, does that mean that banks in Europe are doomed to offer a clunky user experience to comply with PSD2?
Thankfully, no. Because together with SCA, PSD2 mandates the use of risk management in order to increase security: to identify potential fraud and block it before it happens.
Risk management alone would not improve the user experience if strong customer authentication were always required. But, as it turns out, the RTS offer a way to reconcile security and a smooth user experience. In fact, the final draft – which is expected to be formally adopted before the end of the year – lists a number of cases in which SCA is not necessary. They call them the “exemptions.”
The reason for these exemptions is clear: consumers don’t like to be disrupted when they are banking or shopping online. If they are constantly pestered for passwords, one-time-passwords, or fingerprints, they might just give up and stop what they are doing. And that’s bad for business. While European authorities want to protect consumers and banks from fraud, they also want to foster business, making sure banks and merchants don’t lose their customers.
Of course, you can’t just get away with SCA to make life easier for customers. That would be just as bad, if not worse: customers who found their bank accounts emptied by fraudsters would not be so happy with their bank. They expect protection.
That’s why risk management is the answer: it allows banks to be smart about when to carry out SCA, and when not to. Through risk management, banks can analyze a number of input data – both about the user (including the user’s normal behavior, location, and device and software used), and about known issues (including typical fraud scenarios, high-risk locations, and malware infections). If the transaction is deemed to be risky, either it will be blocked, or a step-up authentication will be required – meaning that SCA is implemented. If the transaction is deemed to be safe, then no step-up will be required – making the experience smooth for the user.
So, banks can combine SCA with a smooth user experience.
To be allowed to benefit from the exemptions, banks (and other payment service providers) must have an overall fraud rate that lies below specific thresholds defined by the European Banking Authority.
Yet, even those banks that do not usually benefit from exemptions can benefit hugely by implementing a risk-management system. Because, by helping banks identify and block potential fraud before it happens, such a system can actually help banks meet the required targets – and therefore be allowed to apply the exemptions.
Ready for the deadline?
So, there are two things that are crucial for banks in order to get ready for PSD2: authentication systems that enable SCA, and a risk-management system.
As it happens, Gemalto offers both. We offer Strong Customer Authentication solutions – both hardware tokens and mobile solutions. And we offer a risk-management system known as Gemalto Assurance Hub.
Integrating SCA and risk management is not always easy. These are different pieces of a complex puzzle. And Gemalto masters both – helping banks breeze through, instead of scramble to, the 2019 deadline.
Want to learn more about PSD2 and the user experience? Make sure you don’t miss our webinar on October 31 on PSD2 and SCA: Balancing compliance with customer experience. And share your thoughts in the comments below or by tweeting to us @Gemalto!