Getting Strong Consumer Authentication right: What banking providers need to know
Originally seen in Finextra Since the first anniversary of Open Banking earlier this year, I – along with much of the fintech industry – have been questioning the progress of the new regulations, what more we can do to improve consumer experience and outcomes, while further evolving the ecosystem. It is apparent to me that, while Open Banking is working, problems with PSD2 are proving to be counterproductive to its continued growth and success. The primary challenges facing Open Banking right now are two-fold: the unilateral application of Strong Customer Authentication (SCA) across all accounts, and the 90 day reauthorisation requirement. 1) Unilateral application: The first – and largest – challenge facing the implementation of SCA is the unnecessary application by banks on non-PSD2 account types. Per the PSD2 Regulatory and Technical Standard (RTS), SCA is only required for access to payment accounts and payment account data, and even then it’s only required on the direct interface (i.e. API). However, many institutions are planning to apply SCA to all access via the customer-facing channel (i.e. online banking), ultimately restricting customers’ access to non-payment accounts, and preventing customers’ applications from accessing data when they are not present. While this may seem secure, transparent, and protective, implementing SCA in this way will actually interfere with access to non-payment accounts like savings, ISAs, and mortgages, and break the tools customers use to manage their financial health and improve their financial wellbeing. 2) 90 Day Reauthorisation: The RTS requires consumers to re-authorise their banks to release their data for use by third party providers (TPPs) every 90 days, irrespective of how many times they had previously granted access. This introduces unnecessary friction to the consumer journey and can lead to longer-term negative outcomes for the consumer without any real security benefit. It is also anti-competitive, reduces the business viability of TPPs services, and grants the bank unilateral access to data while denying that access to the consumer and their TPP. There are longer-term negative consequences pertaining to customer outcomes and data protection that also must be accounted for. By creating a cumbersome consumer journey, SCA will likely lead consumers to counterproductive, insecure behaviours, which could put their data at risk. For example, as consumers tire of remembering different details to re-authenticate every time they seek to use a third-party tool, they may end up creating one password across accounts to simplify things. In doing so, they actually make their accounts less secure, because if one account is accessed, all accounts are subject to compromise. As SCA will likely be applied unilaterally, and most UK consumers have multiple bank accounts, up to 69% of the UK population using online banking could be at risk of fraud. So, how can we fix this? First, companies can make consumers aware of the issue and introduce risk-based step-up authentication for different banking functions. For example, while inputting username and password may be sufficient for a read-only view of account summaries, using a one-time password to make updates, add a payee and make a payment could be required for an uplift in security. Enabling users to make better financial decisions means granting convenient and secure access to their account information. The use of SCA as currently contemplated does not allow this. Given the potential impact to consumer outcomes, we must address this now. Open Banking was created to foster positive consumer banking experiences by enabling them to share their data safely and securely. While other challenges remain, we must address those related to RTS and SCA now before consumers are harmed.