As I am writing this post, the European Union is discussing how it should amend PSD2. Or, in a more general sense, prepare for PSD3. That’s because the EEA is now entering a new phase of PSD2: the phase that comes after all of the deadlines, with the UK being the last country to launch SCA in mid-March.

If we look at what’s been happening since SCA went into effect, we can see how fraud rates in mainland Europe are being reduced, possibly by more than 50% (as reported by the EBA in June 2021). The figures for 2022 have yet to be released, but we are sure that the continent still has a long way to go, even if the numbers for fraud continue to decline.

Just look at last year: many Account Servicing Payment Service Providers (ASPSPs) did the bare minimum for SCA by using basic solutions with secret codes and passwords to pass compliance regulations. Today we still come across ASPSPs that are continuing to rely on insecure OTP by SMS methods. But, as we receive better market feedback and watch the cybercriminal sector adjust to the new PSD2 requirements, issuing banks will need to do a lot more than just the minimum to improve and optimise their SCA tools. Here we see the use of the embedded biometric capabilities of mobile devices becoming key: it’s an opportunity to enhance both the user experience and the level of security as those hackers we mentioned above try to catch up.

If we look at the UK specifically, in the first month of SCA enforcement, eMerchants lost 130m GBPs despite an SCA sprint that was supposed to bring the entire payment chain to compliance. It’s important to note that this does not signify the failing of PSD2 but rather the learnings that come with new beginnings. Over time, financial organisations will grow around the subject, leading to more sophisticated solutions that can quickly adapt to regulation changes over the next few years. All markets do eventually mature, and this is what we hope happens in the UK sooner rather than later.

But what is the SCA market looking like from a global perspective? The implementation of PSD2 in the EU certainly made it real and has given the entire world an example to look to when it comes to practical experience. With Open banking on the rise, we can expect Open Finance to follow, walking hand in hand with security as we enter a world of open data. Even though there is no regulation, security and trust will be major drivers for SCA in future adopting regions. 

Embedded finance is also transforming the financial landscape, merging entirely new payment propositions with business models that can be pretty complex. Here too, security should be a priority, particularly if we want to maximise trust with our end-users. Yet, as always, there remains the problem of fraud associated with OPT by SMS. We already wrote about the level of fraud in the United States, but in Africa (where we just returned from after attending APIDE), high fraud rates are also associated with OTP by SMS. Because of this, app-based authentication has a lot of potential, whether in the US, Africa, or other financially expanding regions like Indonesia.

As we have mentioned many times before, digital growth brings new opportunities for fraudsters and hackers. But excitingly, this does not only pertain to the world of financial transactions. Our eyes are wide open to the possibility of other future-proof security and PSD2-grade options integrating into assets outside of the finance world. Which has, in part, led us to launch a new white-label authentication app! Of course, the starting use for this app is for finance, but you can easily imagine also using such an app to protect unwanted access to any important information; remote employees accessing vital company assets, users accessing healthcare credentials, and so on.

For Okay, this new application moves us further into the big Multi-Factor Authentication business. Not only are we bringing strong security to the market, but full customisation capability - the latter being rather crucial as user experience lies at the core of the best digital experiences. 

If cybersecurity, access, and authentication are challenging you, let us know, and we should be able to make it Okay.