Confusion underlies SCA rollout

Participants across the payments supply chain are overwhelmed with Strong Customer Authentication (SCA) provisions under Europe’s second Payment Services Directive (PSD2), according to Jeremy Strong, head of efficiency & performance, fraud at RBS.

“The SCA ambiguity is evidence that we need a uniform approach. I think if we don’t, I do worry about the confusion that it could cause for customers,” he said on a panel discussion at LexisNexis Risk Solutions’ Digital Identity Summit.

Strong went as far as to suggest financial crime may rise, as consumers are also unaware of the new rules.

“The way that [SCA] is heading at the moment customers don’t know what they are going to get, and I think that could actually open the door to more financial crime because of all the emails, and one-time password authentication that we are sending to customers at the moment. This is a great moment of truth for SCA,” said Strong on a panel discussion at LexisNexis Risk Solutions’ Digital Identity Summit.

SCA authentication requirements for online payments will come into force on September 14. However, on June 21 the European Banking Authority (EBA) outlined concerns around the complexities of the rules for non-payment services providers, such as e-merchants. Further, national regulators may be required to provide additional time to allow the payments community to adjust to the rules.

In the opinion, the EBA acknowledged “that it would be useful [for the authority] to clarify its views on how certain existing authentication approaches do or do not fulfil the SCA requirements,” considering concerns raised by industry participants.

For Kate Dunckley, senior manager, fraud strategy at NewDay the EBA’s opinion came as a blow.

“We were in shock because whatever we’ve worked on prior to that we need to re-work it. We want to make sure that we have seamless journeys. When we have conversations with industry peers and asking, ‘what do you think SCA should be?’ And nobody knew that everybody was going with their gut.”

For Dunckley, greater collaboration is needed with telecommunication companies (telcos) to identify potential fraudulent one-time password (OTP) authentication.

“We have so much data that we don’t know what to do with it. We need [telcos] to tells us how to deal with it, we are seeing mobile number popping up left, right, and center. We are seeing spoof numbers, we don’t know what to do with this, we need someone to help us out,” said Dunckley.

Later in the panel discussion Strong outlined a challenge presented by a greater need for collaboration.

“One of the challenges that we are facing at the moment is lots of people looking to help us with great ideas but in practice it is actually not helpful to ask when we are trying to do our day job,” said Strong.

Related reading