Implementation of two-factor authentication for electronic transactions is the latest phase of a payments industry overhaul across Europe — but not all firms are ready

clock time

The deadline for SCA compliance in Europe has almost arrived

As of 14 September 2019, new rules governing the payments industry in Europe will come into force, requiring banks and other electronic payment service providers to introduce additional layers of security – known as strong customer authentication (SCA).

Having already established regulations designed to boost innovation and competition across the European financial services industry, the next phase of the EU’s revised payment services directive (PSD2) focuses on fraud prevention and customer protection.

In practical terms, organisations will have to integrate a two-step authentication process into their digital payments mechanisms – meaning a simple password will no longer be sufficient to authorise transactions of more than €30.

In a 2017 statement detailing the new legislation, the European Commission said: “A key objective of PSD2 is to increase the level of security and confidence of electronic payments.

“In particular, PSD2 requires payment service providers to develop strong customer authentication.

“The rules therefore have stringent, built-in security provisions to significantly reduce payment fraud levels and to protect the confidentiality of users’ financial data, especially relevant for online payments.

“They require a combination of at least two independent elements, which could be a physical item – a card or mobile phone – combined with a password or a biometric feature, such as fingerprints before making a payment.”


UK regulator allows delay to SCA implementation to avoid disruption

Many customers will have noticed these changes starting to filter through, with banks asking for an additional security step – such as a PIN, passcode or biometric verification – before authorising transactions.

Yet, despite tomorrow’s long-appointed deadline, not all payment providers will comply immediately with the new rules.

sca europe
The FCA headquarters in London (Credit: FCA)

The UK’s Financial Conduct Authority (FCA) revealed last month it would introduce an 18-month phased introduction of SCA in the country, following industry pressure to delay the regulation because firms were not prepared.

FCA director Jonathan Davidson said at the time: “While these measures will reduce fraud, we want to make sure that they won’t cause material disruption to consumers themselves, so we have agreed a phased plan for their timely introduction.”


SCA aims to tackle the problem of payment fraud in Europe

Payment fraud is a costly problem for the finance industry, and can be a source of real concern for customers.

Figures from the European Central Bank show that card-not-present fraud – a term that refers broadly to cases of online payment deceit – is now the most prominent type of card fraud across Europe.

In 2016, it accounted for 73% of the €1.32bn total value of card fraud losses in the Single Euro Payments Area (SEPA) – a 2.1% increase on the previous year.

PSD2 and SCA are an effort by European policymakers to shore up digital payment infrastructures across the union, and reduce the exposure to fraud in digital money transfers.


SCA means customers across Europe will have to verify their identity twice before payments are sanctioned

Financial organisations across Europe have been scrambling to get themselves ready for compliance with the new rules governing payments, with significant changes required to ensure their technology is up to scratch in order to meet the new demands.

Speaking at a conference earlier this year, Philip Bonhard, who is the customer experience lead for digital security at Lloyds Banking Group, explained what SCA will look like in real terms.

He said: “Until recently, passwords and usernames have been the way we do security – but providing credentials once is no longer going to be enough.

“You are going to need two out of three of the following – something you know, something you have, and something you are.”

sca europe
Strong customer authentication will use biometric security tools

The something you know might be a password or some memorable information, the something you have could be a phone or tablet, and the something you are refers to biometrics – like voice, fingerprint or facial recognition.

Whatever the combination of factors, people will soon have to get used to regularly taking an extra security step when making electronic payments.


Some banks in Europe have failed to prepare ahead of SCA deadline

With digital transformation sweeping through the financial services industry, it has become incumbent on banks to update their ageing technology systems to meet the requirements of modern-day security needs and customer expectations.

Danny Healy, industry technology “evangelist” at software firm MuleSoft, said: “The 14 September deadline has been embedded in the minds of the banking community for years, but the FCA’s recent extension to PSD2’s SCA rules highlights the extent to which some banks have faced challenges to prepare and adapt to change.

“The root of the problem lies in the approach that some banks have taken to preparing for PSD2.

“Those that have concentrated solely on compliance, or have taken a rigid approach, building application programming interfaces (APIs) in isolation to expose specific channels such as mobile banking, have ended up with a hard-wired solution.

“However, other banks have seen PSD2 as an opportunity to change their technology delivery model to achieve greater agility and a stronger competitive edge.

sca europe
PSD2 can be an opportunity for banks to overhaul their technology for the future

“For example, banks like HSBC have built an application network, which exposes their core payment and account APIs in a way that allows their capabilities and data to be consumed more easily in the future.

“That allows the APIs being created to be quickly and easily plugged in and out of new features and functionality as future requirements change.

“Banks that have taken this approach are able to deliver many changes on a weekly basis, as opposed to the traditional rate of a handful of changes on a quarterly cycle.

“As a result, when a new requirement emerges, such as the ability to launch new customer authentication mechanisms, banks with an application network can quickly and easily deal with that change.

“Those banks that found themselves breathing a sigh of relief when the FCA granted an 18-month reprieve to the SCA rules should take stock of their ability to deliver change quickly and reset their approach to APIs to find a more effective strategy.

“The application network model offers the surest way of creating APIs in a way that enables banks to change their products and services with greater agility, to keep up with any changes that the future has in store.”