Make SCA a Complete Solution
by Marcus Nasarek
in Recent
Hits: 2948

The new EU payment service regulation was adopted by the member states on January 13th 2018. Since that was 3 months ago, we should find some indications on how this would change the market. We probably would, if not the tricky parts and two of the main pillars of this new regulation are still in progress. Meanwhile, more and more stakeholders of the digital market get a sense of how that regulation could impact the customer experience and know very well about the fact that the user interface decides on success or failure of a business. The legal requirement for strong customer authentication and the XS2A interfaces will very likely cut down businesses if they don't adopt properly. But how to adopt properly? 

Assets on Stake

There are businesses with a very strong customer relationship: A bank establishes and maintains trust and the customer knows that the assets are save. Also, bank products beyond making a credit transfer are rather complex and more about an administrative task then just kicking money form A to B. It makes absolutely sense to put some effort into proper authentication procedures if your assets are on stake. Following that logic, the requirement of allowing third parties to be able to access the customer's account (XS2A) needs proper security measures to not mess up with the customer's funds. This said, the requirement for strong customer authentication is a very important security measure to enable the digital change and simultaneously to protect the customer. The customer appreciates that effort, eventually, because (s)he doesn't want to risk the assets.

Avoid blind flight

It must have been pretty difficult for the EU commission to find a way to establish the new rules and guarantee a level playing field. Banks didn't like the new players and therefore they should not be the gatekeeper regarding who accesses the account and how in the sense of setting up contracts. To be very clear, it would need specific requirements on a technical level to make the tasks unambiguous. On the other side, regulation has to be technology neutral and not define technical specifics. As a result, all these problems should be sorted out by the European Banking Authority (EBA) mandated to define Regulatory Technical Standards and Guidelines to clarify the regulatory requirements. The EBA has mainly completed this task, as one of the last measures the Regulatory Technical Standard on Strong Customer Authentication and Secure Communication is published and has to be implemented around September 2019. Once the legal and regulatory framework is complete, regulators have much more visibility of systemic risks and the nature of security incidents. Compliance procedures will help to weather the storm of cybercrime in the coming years.   

Far away from a complete solution

If both, security measures and compliance procedures are implemented, one could say 'mission completed!' and move ahead. Now the new legal framework will foster innovation on the digital market and businesses will benefit from open bank accounts. Well, that's not the way how a business works. The authentication procedure is one of the most critical steps in a customer interaction. If it is too cumbersome with respect to the task to be achieved, the customer would find other ways get the job done. If it is too easy to steal an account, it is not possible to establish trust. What 'too cumbersome' and 'too easy' means depends on the customer experience of a specific use case. Thus, to really foster innovation one has to consider the respective environment of the customer and were the authentication procedure is to be performed. As a bank it could be an easy decision and apply strong customer authentication considering the management of financial assets as the only use case. Then, a customer should be fine with some effort to perform authentication and a multi-step multi-device approach would not be considered as 'cumbersome'. Though this is fine to protect the funds, it can easily be the end of a business what wants to play a role in the e-commerce or even in the customer's digital everyday life.

Payment is not Banking

The payment services the new legal framework wants to support incorporate a much longer value chain than a typical banking service. The business model of a payment service is directly linked to the overall revenue processed and due to the customer's choice where to buy, customer loyalty is key. Though, a payment service measures KPIs for business performance very similar to what a bank monitors: 

  • Total Revenue: How many sales or contracts? What was the main driver of that revenue?
  • Conversion Rate: Successful transaction or did the customer abandon?
  • Customer Activity: How many active customers? Why did they use the service?
  • Costs: What are the operational and procedural costs? Any costs related to reputation? Side effects?

But for a payment service in contrast to the bank's business model, every single performance of an authentication procedure has an impact on all of the KPIs above. From 3DSecure-protected card payments in the internet we learned that in high risk environments the conversion rate can increase if additional authentication steps are applied, but we also learned that the conversion rate can drop by 50% in moderate risk environments and if the authentication procedure is poorly implemented and communicated. Not many businesses in the e-commerce can survive if half of the business is at risk. If a bank wants to be relevant for internet payments and not just holding the funds for others to make a business out of it, the authentication procedure can be an opportunity to become a daily touch point for the customer.

Make SCA complete

A chair with legs each different in length would be useless. So would be an authentication procedure only focussing on security and compliance. A bank needs to take a closer look on the KPIs of the merchant and the customer journey in the e-commerce to stay relevant for payments. Also the other way around: strong customer authentication for payments will change the customer's expectation for authentication procedures regarding banking services. The authentication procedure should adopt the customer's perspective of the use case. Interestingly enough, the new regulation and the RTS on Strong Customer Authentication offers a couple of opportunities to do exactly that. There is a whole chapter III on exemptions from strong customer authentication. For that cases it is up to the issuer of the payment instrument to choose what procedure to apply. That can help to tweak the conversion rate as customers are not burden with multi-step procedures to buy a 2EUR electronic newspaper. For use cases related to an user account, the login procedure can be combined with the payment authorization procedure to make it easier for the customer and thus, increasing the activity rate. If furthermore the authentication procedure will be multi tenant capable and thus, supporting many different environments with one unified authentication solution the customer experience is much more frictionless. A hidden treasure in the SCA requirement is the support for the context of a payment. Though, dynamic linking is just one specific requirement for binding context to the authentication, it can be key to establish trust and to support many more use cases. Linking the authentication procedure to the context moves the authentication procedure to the customer's sphere. Giving consent to something, retrieving information about the underlying business, controlling the risk of a specific customer environment: this all comes nearly for free if carefully considered. And if applied to the technical platform the customer is using - mobile first - a bank is not losing relevance, eventually.