Fraud & Security PSD2 Strong Customer Authentication – What Do Consumers Think?

Three locks and data
Jan302019

Payment Service Providers are pushing to implement their PSD2 Strong Customer Authentication (SCA) solutions ready for the September deadline. But of course it’s not just them that will be affected – it’s also their customers. Customer experience rather than mere compliance could be the true battleground for PSD2, those PSPs that get it right will have happier customers, better Net Promoter Scores and ultimately will attract and keep more customers.

It is vital that PSPs realize their customers’ understanding of the changes that will happen and their views on how SCA should happen. To inform this conversation FICO carried out a survey across 4 countries (the UK, Sweden, Germany and Spain), in each country 500 adults were surveyed.

Do Consumers Know About PSD2?

Those of us in the payments industry have been aware of and involved in PSD2 projects for several years, so it can be easy to forget that education of the public has not been prevalent.  For our survey, we didn’t expect people to recognize the term ‘PSD2’, so we asked if they were aware that new legislation to tackle fraud meant that they were likely to encounter additional security checks when they make remote payments or use online banking.

The good news is that in every country surveyed most people say they do know at least something about the changes. However, a significant minority were completely unaware that they could expect to see more demands for authentication.

Chart

This is important, as when customers are not expecting change and don’t understand the reasons for it, they are likely to be more resistant to it and dissatisfied by it. To counter this, banks that implement SCA will take the time and effort to educate their customers about the upcoming changes and the reasons for them.

Customers Don’t See the Need for More Checks

Across all countries surveyed, most respondents think there are already enough security checks – or even too many checks. This applied for both card payments and for push payments from their bank accounts.

Chart

This is important, as customers who think there are already enough checks are unlikely to welcome more. PSPs must gain in-depth understanding of where their customers think there are already enough or too many checks. In those instances where PSD2 will increase authentication requirements and customers already think there are enough security checks, they should look to implement low-friction methods.

Pushing a Specific Authentication Method Will Cause Issues

As this article in a UK newspaper shows, being too prescriptive as to how your customers can authenticate with you is likely to backfire. In the case reported, it led to a dissatisfied customer as well as negative publicity and reputational damage. This attitude was reflected in our survey: a significant number of customers would not be happy if they were pushed to provide a mobile phone number in order to authenticate payments.

Chart

While it is true that the majority would comply in providing their mobile phone, those that choose a different course of action could have a considerable negative impact on the business. A successful SCA strategy should allow customers choice whenever possible and shouldn’t deprive them of service if they are unable or unwilling to adopt a particular method.

There Are Many Impediments to Authentication

Offering customers a wide choice of authentication methods is a good place to start in building a customer-centric SCA strategy, but a need to orchestrate authentication methods is also needed. The success of an authentication is dependent on multiple factors, which can change dependent on circumstances. Our survey showed that customers had concerns about many factors that could get in the way of a successful authentication and prevent them from completing transactions. To demonstrate this, we asked consumers which factors they felt would be an impediment if they needed to receive a passcode to a mobile phone when making an online payment. Answers included:

  • It isn’t a secure or intelligent way for banks to contact me
  • Not sure if a passcode would come to me
  • It would be too complicated
  • Other people can access my mobile phone
  • My disability means I can’t use a phone this way
  • I might run out of battery
  • I might not have my phone with me
  • I wouldn’t trust a passcode sent this way
  • There’s poor mobile coverage where I live or work

Many of these factors are not static – for example availability of mobile signal depends on location and network outage. PSPs should be responsive to prevalent conditions and customer preferences and deploy solutions that can dynamically respond, to make sure that no transaction is left without a suitable route to authentication.

FICO is helping PSPs to prepare for PSD2 through the use of transaction risk analysis to limit when they must use SCA, and through the intelligent orchestration and execution of the right SCA to support every customer journey.

You can see our infographics on the survey here:

UK

Germany

Spain (in English)

 

Infographic

in Fraud & Security, Risk & Compliance

2 Comments

  • Thanks for sharing and turning out few interesting insights. I believe I’m not the only one with a strong focus on how to make the public aware of PSD2, it’s opportunities and what it really means. The more it’s interesting to read here about very elementary concerns like running out of battery or not having a mobile net. Worth to think also a little bit more out of the box and consumer basics oriented.

    • Sarah Rutherford

      Thank you Maik – I think it comes down to choice and carefully orchestrated customer journeys, with options that preclude authentication not being possible. One thing I do wonder about is if PSPs are taking enough care for factors such as disability discrimination.