With ambitious goals to open up banking and decimate fraud, PSD2 has taken a long time to deliver, and we’re not quite there yet. In many European Union countries, the implementation of Strong Customer Authentication will become a reality in the coming months – but are they ready? And perhaps more importantly, are their customers?
PSD2 requires security measures to ensure only legitimate customers are transacting, including making e-commerce payments. This means that for online purchases we’re more likely to see authentication requests, and to meet the requirements this authentication must come from two different categories from the below:
For card transactions, the onus to manage this authentication doesn’t lie with the merchant, the merchant acquirer or the card scheme. Rather it is the issuer, known as the Account Servicing Payment Service Provider (ASPSP), that must administer it. ASPSPs are looking to deliver authentication that not only meets the regulatory requirements but also meets customer expectations for smooth and largely friction-free experiences. Will they succeed?
The OTP Preference
One-time passcodes (OTPs), usually delivered by SMS text to the customer’s mobile phone, are a strong contender for widespread adoption. Many customers are used to this mechanism and a recent FICO survey showed that it is the authentication method most said they were happy to use:
If we use the UK as an example, we can see in the chart below that OTP delivered by SMS is by far the most popular method of authentication. This trend holds true for both Germany and Sweden.
Banks and their customers, it seems, are on the same page about this. Indeed, UK Finance has stated that: “For online e-commerce transactions, the recommended industry position is the use of behavioural biometrics as the second factor in authentication, in addition to the use of an OTP.”
But there’s a snag. To be successful, the card issuers must have the correct mobile phone numbers for their customers. The FICO digital banking survey asked people if the bank account they used the most —likely the issuer of their debit card and often their credit card as well — had their correct mobile telephone number. The results were alarming:
The figures for Germany are particularly concerning, with well over a third saying they haven’t given their bank their current mobile number. While in the UK and Sweden, having the relevant contact data for 83% of your customers may seem reasonably good, if this translates into a failure rate of 17% for e-commerce transactions then it will not be considered acceptable by merchants or their customers.
Germany has traditionally lagged behind countries such as the UK when it comes to the popularity of online shopping, but COVID-19 has accelerated ecommerce growth. Many consumers pushed to online purchases have little experience of using online channels; these customers are arguably the ones who are less likely to have provided a mobile telephone number to their card issuer. COVID-19 has created the perfect storm of increased digital purchases at the point at which Strong Customer Authentication must be implemented.
If card issuers are aware of the problem, they can of course take steps to mitigate, offering their customers other means of authentication or embarking on a rigorous campaign to collect the missing contact data. In the 2020 FICO banking survey carried out in May, we found that German banks have over-estimated the proportion of correct customer data they have. Over 40% of the German banks surveyed claim they have accurate contact data for one-time passcode delivery for at least 80% of their customers – but only 63% of German consumers surveyed said they have provided this information.
It would seem that ecommerce transactions could see a relatively high failure rate due to the implementation of Strong Customer Authentication in all countries surveyed. It is likely that this will have a bigger overall impact in countries such as the UK, where there is mass adoption of ecommerce, and in Germany, where the accuracy of customer contact data is particularly poor.