PSD2 Strong Customer Authentication – 3 Factors for Success

From September this year, PSD2 requires Payment Service Providers (PSPs) to secure more transactions using Strong Customer Authentication. PSD2 mandates a framework for when customers must be authenticated using two different factors from:

Asking customers to provide these elements is likely to be disruptive to them, delaying or even preventing them from making payments or carrying out other activities. Customers will lay the blame for this disruption at the feet of their PSPs; those that provide a poor customer experience will lose customers to those that do it better.

What Can PSPs Do?

There are two main areas that PSPs need to look at in order to reduce the impact of Strong Customer Authentication on their customers:

• Reduce the number of instances where Strong Customer Authentication must be deployed. Those PSPs that can keep fraud levels low will have to do less Strong Customer Authentication, instead they will be able to secure payments using transaction risk analysis, as described in a previous blog.
• Make sure necessary Strong Customer Authentication is as smooth and frictionless as possible for customers.

PSPs are now actively implementing strategies to help them meet their Strong Customer Authentication obligations, so what are the key factors they should consider?

1.  Compliance with Regulation

This is an obvious area of focus, however there are some factors that are easily overlooked. PSPs need to:

• Deliver consistently across all channels and transaction types and not leave any transactions without an acceptable route to compliant authentication.
• Choose solutions that are scalable – it is likely that more transactions will need strong customer authentication and it must be in real time. It is vital that chosen solutions are proven to deliver the required and potential future volumes without creating performance issues. This is particularly important as PSD2 makes it mandatory to report any system outages to the regulator.
• Understand the intersection with other applicable legislation. For example, restricting the options for authentication could see some customers disadvantaged. This could impact compliance with equality legislation, such as the Equality Act 2010.

2.  Improved Customer Experience

If PSD2 compliance comes at the cost of customer experience, then the PSP is likely to lose customers to those that have taken a more customer-centric approach to Strong Customer Authentication. As the infographic below shows, there are 3 things that banks are getting wrong when they build their Strong Customer Authentication solutions without paying enough attention to their customers’ journeys.

They dictate to customers how they must authenticate. A FICO survey of 500 UK adults found that if their bank told them they must provide a mobile phone number for authentication purposes, only 53% would do it willingly.

They don’t offer enough choice of authentication methods. Even looking at something as simple as the delivery of a one-time passcode there was much diversity in how people would like to see it delivered. The most popular method is a text message to a mobile phone, however 61% of UK adults prefer another method.

They don’t sufficiently account for factors that could prevent successful Strong Customer Authentication. An inflexible approach means the presumption is made that the prescribed method of authentication can always be completed. This is far from the truth — for example, a mobile phone signal can fail at any time, or a customer could be concerned about multiple people having access to their home phone. This attitude means that many PSPs are not deploying Strong Customer Authentication orchestration that can ingest information about changing factors and dynamically react to conditions such as a network outage or a higher risk factor being in play, such as a SIM swap.

3.  Cost-Effective Efficiency

Short-term policies that look to achieve minimal possible compliance are likely to increase costs. Without a strategic solution that takes an enterprise-wide view, inefficiencies and failures will be baked into the system that will end up costing more. To manage this PSPs should:

• Deploy risk modelling across all channels to reduce false positives and thereby reduce reliance on costly manual intervention.
• Reduce the risk of lost revenue by offering lower friction routes to authentication in cases – such as payments - where transaction abandonment will cause lost revenue.
• Limit costs by implementing lower cost authentication methods when friction to customers is less of an issue.
• Reduce the need for Strong Customer Authentication as much as possible by securing payments with lower cost and friction-free transaction risk analysis whenever permissible and desirable.
• Automate case management and customer communications to resolve cases faster with less customer disruption at lower cost.

Managing all the above parameters through a single platform helps you to stop duplication of effort, reduce service costs and lower integration costs.

Our PSD2 Strong Customer Authentication solutions work holistically to help you achieve PSD2 compliance, cost-effective efficiencies and satisfied customers. For more information, read our solution overview sheet.