PSD3 SCA Requirements: Should You Buy or Build?

Or, put another way, do you have a legal department or a legal adviser? 

No one can deny that PSD2 was a complex topic. We’ve seen its somewhat “free” interpretation out in the real world, especially with the smaller financial organisations overlooking vital elements of the Directive. But looking at the sheer amount of information on the subject, this isn’t surprising. Since the Directive began enforcement in January 2016, the EBA has supported its implementation by developing six Technical Standards, eight sets of Guidelines, eight Opinions, and more than 200 Q&As.

Now that’s quite a chunk to chew on. As such, once PSD3 appears, it will undoubtedly bring another new layer to SCA, prompting more clarification, setting requirements for transactions currently outside SCA, and introducing means to curb social engineering attacks.  

Although security and compliance are two different topics, they share some of the same mindset regarding decision-making. For instance, should you go all in or build the bare minimum? The bare minimum might pass compliance, but will it fend off innovative fraudsters and attackers? Probably not.

Ideally, you should evaluate how strategic the security aspect of your offering is and how sophisticated it should be to meet current threats. To get a reminder into just some of the dangers out there, check out major fraud seen around the world, a 2022 fraud update, or the basics of digital fraud.  

You might have the skills, and your team might be ready to take on a tech challenge, but does that mean you should move forward with building? Maybe, but there are still a few risks you need to take into account:

• Will you have the skills to develop and maintain an in-house solution while the market, threats, and regulations evolve? In other words, can you future-proof your investment?  
• What is the opportunity-loss? By building, your team might lose their focus on your offerings’ core capabilities.
• And lastly, do you have a track record of delivering on time? 

First, you need to look at the complexity of your transaction processes. Remember, it might be different if you are B2C or B2B2C - look at embedded finance providers, where specific flows and integrations are highly complex. Nevertheless, this is what you’re likely working with:

• If you’re a B2C: you have one front-end integration to make with your app and SCA 
• If you’re a B2B2C: you have multiple integrations to make, as you have different corporate and fintech customers with their branding. 

With this in mind, you can now consider:

• Time to market and lost opportunity 
• The upgradability of the solution as well as maintenance  
• The overall development effort (the amount of work someone can get done in one day and team cost)
• The maturity of your business and the size of your customer base (building an SCA solution remains a significant investment)

PSD2 is not just about two-factor authentication; It also requires a wrapper (a separate secure execution environment) that secures the authentication process and ensures the dynamic linking is not tampered with. 

Here at Okay, topics like these are just a part of our daily discussions. Are you interested in learning more? Please send us an email at hello@okaythis.com. We will be more than happy to have a chat about a particular subject or assist you with SCA-related questions if you’re in doubt.

Happy authenticating!