If you work in the world of Open Banking, you probably have already inundated yourself with plenty of articles related to strong customer authentication. But at this point, quite a few years have passed since SCA made its appearance in 2017 in the Revised Payment Services Directive (PSD2) and the Regulatory Technical Standards (RTS). With the deadline for implementation having been extended multiple times (from 2019 to 2022 - country depending), follow along as we revisit the origins of SCA, and how they have been playing out over the last few years in the financial landscape, both positively and negatively.

The first time the EBA used the phrase ‘SCA’ was in 2014, with the Securepay guidelines. However, the ideology behind it didn't really stick until the Revised Payment Service Directive, more commonly known as PSD2, emerged with the goal to better protect consumers when doing online payments. The requirement for strong customer authentication in the majority of these payments was a key focal point of the regulation. This is why many consider PSD2 the real game-changer; The one that created the market for new players to infiltrate traditional provider systems, and give customers a different way to access services and get more from their data.

Because SCA is part of the European Union’s PSD2, it applies to all payments made and/or received within the EEA. This means businesses, banks and payment gateways in all EU countries, as well as Iceland, Norway, and Liechtenstein. And because it was implemented in 2019 (back before Brexit), PSD2 is also part of UK legislation.

To significantly increase the security of online transactions, SCA requires multi-factor authentication (MFA), meaning that transactions must be authenticated with at least two of these three factors:

1. Possession: Something the user has, like a token.
2. Knowledge: Something the user knows, like a pin or a password.
3. Inherence: Something the user is - most commonly refers to biometrics (like fingerprints).

As mentioned, SCA is often associated with MFA or two-factor authentication (2FA). However, if your business needs to be SCA compliant under PSD2, two-factor authentication by itself is not enough. 2FA is an important part of SCA, but it is not the only requirement in the regulation. The requirements of the European Banking Authority (EBA) covers three main aspects:

• Two-factor authentication  
• Secure execution environments
• Dynamic linking 

For end-users, having to complete a two-factor authentication is the biggest change brought on by SCA. But this is not overly complicated - many consumers are used to verifying certain transactions with two factors, including OTP by SMS and dongles that give time-based login codes. However, the transition of SCA into a day-to-day reality for payment industry players has not been as easy. Namely because SCA impacts the entire chain of payments and forces a major shift in liability when fraud occurs and needs settling.

Because SCA is an additional step that customers must take, it leaves in its wake an increase in friction during the payment process. Merchants care about this friction because it directly effects them: prospective buyers who are asked to do what they deem as “too much” during checkout are prone to cart abandonment and may choose a competitor the next time they go to shop online.

However, because SCA moves the authentication choice (and responsibility) from the merchant to the issuer, e-merchants have lost some control over their users’ shopping experience. So, if their customer’s bank happens to provide a bad or faulty SCA experience, and this directly leads to a lost sale, there isn’t much they can do. Ultimately, this puts a lot of pressure on issuers to provide a good SCA user experience.

As a result, stakeholders have been reluctant to develop the necessary software and hardware changes to accompany the new SCA requirements, which explains why the European Banking Authority (EBA) agreed to extend the implementation deadlines so many times for so many countries (the last deadline finally passed on March 14th, 2022 in the United Kingdom). 

Nevertheless, Europe will undoubtedly continue to experience an increase in online shopping as people adapt to the rise and integration of technology. In 2020 alone, 95% of British citizens between the ages of 15 and 79 shopped online at least once during the year. These users expect to have an excellent online shopping experience after the SCA deadline, and to make that happen, it is ultimately the issuers’ responsibility.

But why did PSD2 finally push out SCA as a hard requirement? The main driver was the debate around screen-scraping for initiating payments, which posed some fundamental questions for how bank accounts should be accessed. In addition, the growth in unauthorised card fraud had become (and still is) a serious issue. 

In a 2021 report released by UK Finance called “Fraud the Facts”, they relay much of modern fraud to online vulnerabilities. This is particularly true ever since the Covid-19 pandemic, when social distancing restrictions led to a significant increase in online spending and internet usage, providing better opportunities for cyber criminals. Today, most fraud occurs through mobile malware, but there are still also many cases of social engineering scams, like investment offers promoted on search engines or fake goods listed on auction sites. Albeit, for these, having a strong SCA mechanism doesn't really help.

In June 2021, the EBA published a report on the progress of SCA roll-out throughout the EU. The report showed significant progress amongst issuing PSPs, which resulted in a sharp decrease in fraud rates - obviously some great news. As Open Banking and PSD2 continues to enable and regulate access to data and the integration of payments, we expect both fraud and the sharing of access credentials for bank accounts to be a critical part of the long-term protection plan for financial institutions, merchants, and consumers.

No one can deny that the rationale behind PSD2 was good. It aimed to spur innovation in the financial services industry in Europe, while advancing the fight against cybercrime, especially for ‘card not present’ purchases in a booming e-commerce market. Yet, when it comes to implementing SCA, most organisations have come to face a variety of challenges. 

Some of these challenges are much more uniform than others, regardless of the company size or the type of bank. Here are the top 8 we have seen emerge over the past 5 years:

1. Security and 2FA 
2. The taxonomy of SCA Mechanisms
3. Low-tech Phone Users and Fallbacks
4. The Mobile OS Headache
5. Innovative Malware Attacks 
6. The Cost of Integration 
7. Enrolment and Re-enrolment
8. Corporate Transactions 

Note: SCA does not apply to all transactions. Small online payments, for instance, are not subject to SCA. It is only when a payment hits an amount threshold that SCA will be a requirement. This is the same for physical and contactless payments with a plastic card.

Additionally, there is a more complex exemption to SCA which uses the Transaction Risk Analysis (TRA). Issuers and acquirers (and their merchant partners) can make use of the TRA exemption by maintaining a fraud rate that aligns with PSD2 regulations. Essentially, a transaction worth several hundred euros or pounds could be exempt if the merchant acquirer has proven a consistently low fraud rate. Most likely this is the best way for an eMerchant (with smaller amounts) to find SCA exemption.

And lastly, there are also some types of transactions exempt from SCA, such as parking payments, phone order payments, and corporate wire transfers, for instance.

In the future, we see massive potential to further utilise SCA, as long as we rebalance the control between merchants/acquirers and issuers, and allow the well-established chargeback system to play its role in keeping merchants and their acquirers honest in their responsibility to fight fraudulent payments. A good example of how this could work is for merchants with recurring customers who have created an account: SCA could be applied once, perhaps to register, but not to every subsequent transaction. 

Another missing piece of the SCA puzzle would be for more banks and SCA providers to offer digital identities for their customers. The combination of SCA and eID would be very useful when a merchant needs to know who they are selling to. For example, this service could be used to automate the process of buying or renting an apartment, or could even secure access to your company email. In the financial industry, it could be used to manage insurance agreements, communicate with the government, or onboard new customers (KYC). And this is why we see the enormous potential of offering eID services across Europe (and the world).

Although SCA has been seen by the financial services industry as a hurdle and an extra cost, most understand that it has an essential role to play when it comes to accelerating innovation in the financial industry, while also creating new businesses and opportunities. The first responsibility of the EBA should be to lay the foundation for an unlocked SCA in a future PSD3, allowing SCA to develop outside the EBA and the financial sector to become the cornerstone of the Digital Single Market. And who knows, perhaps in the not too distant future we will see a PSD-of-sorts hit such countries like the USA.

————— 

This is the second part of a four part series reviewing some of the basics of SCA. The first part of our Back to Basics series covers PSD2. Tune in next week where we dive deeper into the world of digital fraud.