finy-1068x713

Multi-factor authentication isn’t always the answer in FinTech

Originally in Open Access Government

In this article, Brian Costello discusses the current state of Open Banking, explaining how multi-factor authentication may not be the right answer in FinTech

On Open Banking’s first birthday earlier this year, many marvelled at how much had been accomplished within banking and FinTech. Yet others paused to question: How far have we really come? What challenges are we now facing? Is the consumer better or worse off? While Open Banking regulations were introduced to improve customers’ access to banking services, what’s become clear is that glaring issues remain in relation to the Second Payment Services Directive (PSD2) – particularly the implementation of regulations around Strong Consumer Authentication (SCA). These issues threaten to disrupt the consumer experience, endanger customer data and encourage risky consumer behaviour. So what can we – banks, technology providers, and FinTech firms – do to preserve Open Banking as we know it? We first need to start with identifying the problems facing the system today. I think these can be broken down into three groups: The unilateral implementation of authentication requirements; consumer fatigue around verification; and the overarching risk to consumer data. Unilateral implementation of authentication requirements: The first problem facing SCA is the unilateral application of authentication requirements. In an effort to remain compliant with PSD2 regulations, many banks will unilaterally roll out SCA across all types of accounts, whether or not they’re PSD2 regulated or not. Today, banks only need apply standards to payment accounts, and while it may seem transparent and secure to apply SCA across accounts, if applied to all read-only access to savings, ISAs, and loans, customers will soon experience a significant increase in friction across their banking journeys vs today.

Consumer fatigue around verification

Applying over-zealous security requirements risks disconnecting consumers from the very system Open Banking has established, without providing any added protection. Open Banking was meant to provide a user-friendly service, but this will be far from reality if SCA is implemented across non-payment accounts as well as PSD2 regulated accounts.

Overarching risk to consumer data

The danger of SCA’s implementation goes beyond UX concerns. If we, as an industry, continue sleepwalking toward unilateral roll out across account types, SCA could dismantle Open Banking as we know it. By making the consumer journey so tedious, SCA could lead consumers to take counterproductive actions that put their data at risk – like creating one password across accounts to ease the login process. If this were to happen, it would be possible that the entirety of the 69% of the UK population who use online banking services could be affected. We saw this recently, when a data breach from password flaws left 2.7 billion customer records at risk. A first step in solving this problem will be to make consumers aware of it. Banks could also look to implement various levels of authentication for different functions across the customer journey for non-payment accounts. For example, viewing your balance should require fewer security checkpoints than transferring £30 or even £100. As banks begin to roll out SCA, considerations need to be taken to balance the consumer experience with security and safety concerns. Open Banking promised to ensure that consumers would be able to safely and securely share data to make their financial lives more integrated and manageable. Everyone working in banking and FinTech has a responsibility to carry out this vision, despite challenges along the way. Some are already doing this, but despite the efforts of individual companies to raise these issues, progress has been slow. By working with the Financial Conduct Authority (FCA), the industry has a real opportunity to defend the interests of consumers and clarify the boundaries and limitations for additional security requirements. The main concern around SCA is consumer protection and ensuring that everyone has tools available to them to live their best financial lives possible. This issue is a highly important one that, if left unaddressed, will leave consumers with less innovative financial tools, less competition within the banking ecosystem, and ultimately, poorer financial health.