Fintech is the crown jewel in the UK’s tech revolution with the sector raising a record $11.6bn in 2021 according to Innovate Finance – far ahead of any other European country. The advent of the Payment Services Directive 2 or PSD2 (transposed into UK law as the Payment Services Regulation, PSR, after Brexit) has played a significant role in providing a supportive regulatory environment in the UK and creating fertile ground for innovation.
Fintech is now pervasive in every sector of the economy, from ecommerce to health. And it is no exaggeration to say that every company, big or small, is now a fintech company. While that brings a wealth of opportunities, these same companies now also find they are potentially subject to more regulation than ever (given the pervasiveness of legal dictats in financial services in general).
Case in point: the PSD2 aimed to transform the financial services payments landscape into a more competitive, more consumer-focused data-sharing ecosystem by forcing banks to give third-party service providers direct access to their customers’ financial data. It also aimed to make payments safer and more secure by leveraging Strong Customer Authentication (SCA).
In ecommerce, PSR’s SCA rules are designed to combat checkout fraud, which rose to $20bn in 2021, by requiring merchants to authenticate customers who make an online purchase. For retailers, SCA also brings an additional benefit of shifting liability to the card providers for fraudulent transactions.
A report published by the European Banking Authority (EBA) showed that steadily increasing application of SCA across the continent has resulted in a commensurate decline in recorded fraud. According to the EBA, the average value of fraudulent transactions across the EU decreased from June 2020 to April 2021 by approximately 50%.
The looming SCA cliff edge
The deadline for compliance was initially set as 14 March 2021 but has already been extended twice, partly at the behest of retail industry bodies like the British Retail Consortium (BRC) due to concerns about industry readiness (sound familiar?) and the COVID-19 pandemic.
The deadline is now 14 March 2022. But card providers have already begun issuing ‘soft declines’ on some non-compliant transactions as part of a ‘Ramp Up’ scheme implemented by UK Finance (the industry body for retail banks and payment services) through a series of incremental steps, targets and monitoring between January and March, to minimize the customer and merchant disruption. After this, there will be a step up in enforcement. This presents a cliff edge to anyone in the space who is still not fully prepared.
That deadline is fast approaching (UK Finance has a slightly ominous countdown clock on its SCA page) and the Financial Conduct Authority (FCA) has ruled out any further extensions. In light of this, unprepared ecommerce merchants and online retailers risk becoming collateral damage if they fail to comply.
Fail to prepare, prepare to fail
While SCA aims to give customers peace of mind that they won’t fall victim to fraud, some retailers have grumbled that the changes have caused unnecessary disruption to their payment flows. They also warn of a significant increase in friction in customers’ online experiences, potentially harming long-term brand loyalty.
In the EU, where SCA has already come into effect under PSD2, some merchants have indeed seen a huge hit to their conversion rates – in France, Germany and Spain, some firms saw a drop of up to 40%. This has understandably raised concern among UK retailers that the same will happen here in March.
However, there are reasons for optimism. UK Finance and the BRC have been pushing hard to prepare card issuers and online retailers for the change. What’s more, the adoption of SCA, PSD2/PSR and Open Banking-related measures in the UK has traditionally outstripped that of any other European country, which could potentially cushion any fallout from these changes.
As the deadline approaches, it’s also important for ecommerce merchants and retailers to keep an eye on the broader competition – the March deadline could be a litmus test of how well they are competing in our increasingly digital economy. Retailers are now facing competition from all fronts, and both traditional and unconventional threats lay around the corner. After all, the promise of PSR is to provide a level playing field to encourage innovation and competition. This deadline therefore matters in more ways than one.
Avoid being scarred by SCA
Many issuers and banks are already offering authenticating solutions for online purchases based on mobile banking apps or a One Time Passcode (OTP) to verify transactions. However, under SCA rules these checks will not be sufficient by themselves.
Why? Because authentication under SCA must meet two elements of the following requirements clarified by the EBA in its ‘SCA Opinion’ in 2019: knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). An OTP satisfies the element of possession (the code is sent to a device that only the customer possesses), but no others.
Another authentication method, complementing the existing OTP solution, which meets an additional requirement (inherence or knowledge) is therefore required under SCA rules. The industry has weighed up several solutions, mainly based on behavioural biometrics (inherence) and an additional password (knowledge).
Analysing both through the lens of reducing customer fraud and checkout friction, the general industry consensus is that behavioural biometrics is the preferred solution (as recommended by UK Finance). Indeed, the FCA itself has signaled its support for this solution in principle due to the potential benefits accrued to both merchants and customers.
In this context, continuous authentication (whereby behavioural characteristics, contextual clues like GPS and interactions with a device are continually captured and evaluated to build a profile to authenticate a user) could unlock immense value for online retailers, banks/card issuers, and their customers, and from legacy systems, while reducing friction and improving security.
While acknowledging that inherence-based solutions were the fastest moving category, in its SCA Opinion the EBA set out a non-exhaustive list of examples which may constitute behavioural biometrics including: ‘keystroke dynamics (identifying a user by the way they type and swipe, sometimes referred to as typing and swiping patterns), the angle at which the PSU holds the device and the PSU’s heart rate (uniquely identifying the PSU).’
In short, behavioural biometrics allows online retailers to avoid the use of more onerous and vulnerable solutions like additional passwords through dynamic risk profiling which works in the background as users naturally navigate a site or app.
If ecommerce merchants haven’t been doing so already, they must work with card issuers and payment gateways to A/B test these solutions to ensure minimum disruption and right fit them for their businesses unique circumstances. Disruption and plunging conversion rates aren’t a foregone conclusion, but time is quickly running out for retailers that aren’t prepared.
Nick Caley, VP of UK and Ireland, ForgeRock