Posted: 17th September 2019
On the 13th August, the FCA announced that it had agreed a plan with the payments industry to implement Strong Customer Authentication (SCA) rules over a phased period, replacing the original 14th September hard deadline for compliance.
The period for implementation will run until March 2021, but firms should not be working under the assumption that this is a delay – nor a soft approach – to the Revised Payment Services Directive (PSD2). The new plan only relates to the e-commerce cards industry, after all. Customers interacting directly with their online bank to initiate payments, for example, will still be expecting to go through the two-factor authentication as we have previously described.
The FCA will not simply let the industry 'get on with it' or come back to review progress down the line. Rather, it will continue actively engaging with firms to:
- Obtain evidence on their roadmap to achieving full compliance
- Confirm their approach to dealing with customers who are unable to authenticate with a mobile phone
While this announcement has already been widely covered in the press, another update on PSD2 from the FCA failed to receive the same fanfare. This news was instead circulated by email on the 9th August to targeted Account Servicing Payment Service Providers (ASPSPs) and Third-Party Providers (TPPs) via trade bodies.
Focusing on the Open Banking element of PSD2, the FCA has effectively given a temporary stay of execution to screen scraping practices until March 2020 for ASPSPs that did not have their Application Programming Interface (API) available for testing by the 14th June this year.
This gives TPPs additional time to get those all-important eIDAS (“electronic identification and trust services”) certificates that are still only being issued by a couple of firms throughout Europe. It also gives them time to gain an exemption from the taxing requirement of developing a contingency mechanism.
As with the phased SCA rollout, the FCA is encouraging dialogue and will continue working with firms to understand their roadmap and guide them to full compliance.
Both announcements come at a time when the industry has been crying out for allowances that would let them avoid a ‘cliff-edge’ disaster on September 14th. Widespread non-readiness has been reported by firms across the industry. Indeed, as recently as the 21st August, Tink, a provider of Account Information Service Provider (AISP) and Payment Initiation Services Provider (PISP) APIs, reported that “Zero PSD2 APIs are compliant with just weeks left before the deadline”.
Throughout the world of e-commerce, similar cases of non-readiness have been reported. The Emerging Payments Association (EPA) recently published an impact assessment that revealed almost 75% of issuers would not have been operationally ready for the original deadline. The sheer fragmentation of the ecosystem means that readiness in isolation is not enough – it requires a cohesive approach from all involved.
Herein lies part of the problem. Following the European Banking Authority’s announcement of possible “limited extra time” for the implementation of SCA, different EU member states’ authorities have taken different approaches from our own FCA’s very specific allowances for the e-commerce world. Other authorities have not issued statements at all, meaning there has been an assumption in some member states that enforcement will start from the 14th September across all payment instruments and channels.
In today’s cross-border environment, this essentially means that any merchants taking payments from customers with cards issued in other EU countries should certainly not be ‘taking their foot off the gas’ in their efforts to comply with SCA. Some prominent UK retailers have already taken this approach, one example being John Lewis.
Clarity of approach is needed
The EBA announcement – that clarified the various knowledge, possession and inherence factors of SCA – certainly ‘threw a spanner in the works’ for many firms operating on other assumptions. Prior to this communication, firms had been basing their solutions on direction from the FCA and from the card schemes. And yet, we were still missing total clarification in a number of areas.
One example of where clarity of approach was needed, was on the acceptance of card details (PAN + expiry + CVV2) as a possession factor. While the FCA determined that this would be acceptable, this came with the caveat that the requirements under Regulatory Technical Standards (RTS) Article 7 (measures must be adopted to ensure that the elements cannot be used by unauthorised parties) would be respected.
The card schemes have echoed this by calling for a "layered approach”. They would like to see card data combined with other data fields that, together, would provide greater confidence that the card is being used by the genuine cardholder. As to what these fields should be, there is no clear answer. It is up to each individual firm to adopt what they feel is adequate to meet RTS Article 7.
The EBA announcement then placed card details in the non-compliant category for both knowledge and possession factors, leaving firms asking more questions. The fact that the words “for approaches currently observed in the market” were used in this announcement also left many scratching their heads. What does this mean precisely? It is almost inconceivable that the EBA had analysed every single live e-commerce system before making its decision. There are surely solutions out there that meet all the requirements of the RTS.
Clarity is also needed around the use of 3-D Secure fields. The rich set of meta-data available within the 3-D Secure protocol allows merchants to perform risk-based analysis of any given transaction and request the card issuer not to ask for additional authentication.
This data – again, with the caveat of “for approaches currently observed in the market” – was deemed to be non-compliant for inherence purposes. That’s not to say that 3-D Secure cannot support the ‘something you are’ factor when the buyer is transferred to their card issuer, what it means is that the data fields being passed in the background are not currently sufficient. Those firms relying on changes in billing addresses, reordering previously purchased goods, changes in browser attributes or other arguably behaviour-based traits had to go ‘back to the drawing board’.
On top of these disruptions, the phased rollout would mean that firms now need to split up their SCA deployment piecemeal, with some elements going live on or before September 14th, and others gradually deferred, based on guidance from UK Finance.
Some firms reliant on third parties for these services simply cannot afford to take such an approach, as this will add more costs onto their ever-increasing compliance budget. Still, it may be necessary to take the hit to ensure a cohesive industry approach. This, after all, is vital in ensuring consumers are not left dazed and confused by change after change after change.
The FCA has created a consumer-facing page on SCA, but it’s not likely that we’ll see any glossy communication campaigns similar to that produced ahead of the PPI deadline.
The trouble with SMS One-Time Passwords (OTP)
In today’s clued-up world, those of us in a Fintech bubble could be forgiven for assuming that everyone has a mobile phone. However, in each of its recent announcements, the FCA has been keen to stress that firms need to cater for all groups of people, including those who may not be able to authenticate with a mobile phone.
As evidenced by Ofcom’s mobile checker, network mobile coverage across the UK is by no means evenly-spread, especially indoors. Those who live the majority of their lives in large buildings, in more rural or mountainous areas may find that they aren’t getting the signal they need to receive SMS messages, let alone calls or an Internet connection.
Conduct risk in this regard should not be limited to typical ideas of ‘vulnerability’ either. Some customers may be without a phone by choice or may have chosen not to disclose their active number to their bank.
SMS OTPs are also receiving some pretty negative press attention lately, as well. The fact that “SIM swap fraud” (in which a fraudster convinces a mobile provider to transfer a victim’s phone number to a new phone) can be so easily accomplished by savvy criminals and exploited to access online accounts has caused many to question whether SMS should be considered a secure method of authentication at all.
If customers cannot receive an SMS OTP, or the SIM with the registered phone number becomes compromised, firms may seek to provide OTPs via another channel, such as email. However, because the possession factor of SCA requires a customer to authenticate with a device they physically own (a phone with a SIM card registered to the user), an OTP sent via email or landline would only count as a knowledge factor.
The phased rollout has effectively allowed firms to accept two knowledge factors in a worst-case scenario for customers without access to the mobile hardware needed to support other forms of authentication. It is, of course, expected that other biometric or behaviour-based factors are explored and matured during the roll-out period.
With the time allowed them, firms should be seeking alternatives to SMS OTP or, at the very least, deploying solutions that could detect and mitigate SIM swap fraud. This could involve analysing network data and device information to provide risk-scores to banks based on the usual behaviour of the registered SIM owner.
Digital-only banks should already have the data on their customers to allow them to know their behaviours, and larger banks with the budget could also work to provide alternative devices.
Some online- or mobile-only banks already push out notifications to the mobile phones of their users as a way of authenticating, whereupon fingerprint, facial recognition and other biometric elements can be used (depending on the capabilities of the phone, of course). Other, less digitally-mature banks are in the process of distributing more ‘PIN sentry’ devices, some of which are able to read out text from a screen, ensuring accessibility.
So, where to next?
Firms must stay close to their trade body representatives during the phased implementation of SCA rules, as well as to card schemes, so that an industry-wide consensus can be agreed on and solutions rolled out.
Crucially, agreement on what would constitute acceptable behaviour-based data will need to be decided, ideally so that authentication can be successfully delegated away from the issuer. Ideas currently include key-stroke behaviour and spending data. Firms should expect the Program Management Office (PMO) coming out of UK Finance to play a vital role here in endorsing other solutions.
One other role for the PMO will be in co-ordinating and communicating plans from the various industry areas which each have their own particular set of problems. The travel industry is an example where, due to the deferred and split nature of payments, agreement on acceptable authentication which satisfies dynamic linking requirements is not straight-forward.
As these alternative solutions are approved, as biometric technology improves, and as the latest version of 3-D Secure (2.2) becomes more widely available, the ecosystem will evolve and customers will start to experience something more closely aligned to full PSD2 compliance.
Regulated institutions must be ready to evidence their roadmap to compliance to the FCA and pay particular attention to alternative authentication methods that would be suitable for all customer demographics. Communication is also vital to ensure that customers and merchants alike are both aware of the changes and why they are happening.
One thing is for certain, firms must use this time wisely and not expect much further flexibility in enforcement following the rollout period.