PSD2 SCA Delay: What Must You Do by September 14?
For further reading, please refer to Rob’s previous two-part blog series covering the threats of PSD2 and further actions ahead of the September 14 deadline.
With only a short time left remaining until the September 14 compliance deadline for Strong Customer Authentication (SCA), significant changes have been announced to the scope of what will be enforced. Where do we now stand, and what might remain to be done ahead of the pending deadline? Let’s put some clarity around all the changes that have occurred recently.
Ever since the EBA’s clarification statement back in June, changes were viewed as likely, with the Financial Conduct Authority (FCA), and the Central Bank of Ireland too, now having made two statements on the September compliance dates. The high-level view of these changes includes the following delays:
- 18-month delay to Strong Customer Authentication (SCA) for e-commerce
- 6-month delay to enforcement around continuing use of screen scrapping for TPPs and lack of back up interfaces for banks
It’s worth stating what SCA compliance ruling is comprised of at this point. First, the SCA requires there to be at least two authentication factors, from a possible three when undertaking transactions. The three types of factors are something you know (e.g. a password), something you have, e.g. a device and something you are, e.g. a biometric. Importantly the EBA’s latest guidance clarifies that the card data itself cannot be used for knowledge and that an OTP, say via SMS is acting as a proxy for possession of the phone (number).
What does this requirement mean in practice to a financial institution?
The FCA no longer requires SCA to be in place from September for e-commerce transactions. This change covers not only cards used on the internet to buy something but will also cover remote recurring card payments. This provides enough time for solutions such as 3DS2.2 and Secure Remote Commerce from EMVCo to be rolled out effectively. Importantly, this also provides the opportunity for an industry-led communications programme, similar to ‘I love Chip & Pin’, to be rolled out to boost education on the changes.
Whilst this delays enforcement for 18 months, it does not mean a complete delay of any changes to authentication for that long. The UK Finance proposed managed rollout, suggesting the following evolutionary timeline:
- From February 2020, issuers will begin to undertake step-up authentication using risk-based authentication (RBA) and One Time Passcodes (OTPs), where this can be supported.
- In March 2020, issuers should be able to support 3Ds2.1/2 and test with supporting merchants. This will continue to be rolled out with merchants over the coming months as 3DS2.1/2 becomes more widespread, with communications to support.
- From March 2021, full enforcement will come into place, along with transactions being declined where there is no SCA or relevant exemption. At this point, SCA solutions will have been matured to support biometrics and mobile app-based methods of SCA. However, as not all customers will have smart phones, a backup of behavioural biometrics (something you know) and an OTP (a proxy for something you have) for those without smartphones.
There will also be some leniency for the next six months for SCA-related to some Open API transactions. The Open APIs must be supported, but where a bank did not have them available by 14th June 2019, TPPs will be able to continue screen scrapping, provided they do not hide their identity. Importantly, SCA will not be required here.
This means that there are quite a few elements of PSD2 that are still required to be in place for September 14th.
First, SCA will still be required for remote banking transactions where an exemption does not apply. This covers both online and mobile banking. With one UK bank, trailing voice banking via Google Home would also be covered. Given it is only balances, this will only need to be every 90 days.
It will also still be required for contactless card transactions over 30Eur and cumulatively over 150Eur or after five transactions. Xpay will not require additional authentication and those in the biometric card pilot will also be able to authenticate without a PIN whilst using the contactless interface.
Perhaps more importantly, all PSPs, which includes PISPs, must have fraud profiling that meets article 2 of the RTS. While article 2 does not specify this as needing to be real time, the FCA’s guidance is that they expect it to be. If you are processing real time payments, then to not have real time profiling is going to cost you dearly as fraudster punish those without such capabilities. This profiling should also cover transactions (monetary and non-monetary) made via TPPs and include AISP as well as PISP transactions.
In the case of remote banking, if the Transaction Risk Analysis Exemption (TRA) is to be used then the fraud profiling needs to be more sophisticated. Such a fraud profiling solution should provide entity-based profiles, so this can cover TPPs, merchants and beneficiaries, as well as your own customers. Understanding the normal behaviour for each of these entities and their relationships together is key for preventing fraud and reducing false positives.
A fraud management solution should also be able to take additional data sources, such as device, location, behavioural biometric and malware detection data into account, enriching the underlying data.
Lastly, the new fraud reporting regime is underway, and is still required to be adhered to.
As always, there will be unintended consequences to such a delay. This will likely add to an already confusing picture for consumers about the necessary authentication steps. This means that an increase in social engineering is almost inevitable. Getting key communications to customers about what to do and don’t do over the next few weeks will be key.
This delay needs to be put to good use, so that well thought out fraud prevention and authentication systems can be designed, built and be in place ahead of March 2021.