article banner

PSD2: enhancing strong customer authentication

Paul Olukoya Paul Olukoya

Smooth integration of the revised Payment Services Directive (PSD2) will help providers uphold a positive reputation, reassure customers that their payments are in good hands and avoid any regulatory sanctions. Paul Olukoya looks at how firms are applying PSD2's enhanced strong customer authentication (SCA) requirements and the common challenges we have seen. 

The second Payment Services Directive is regulation that affects all payment service providers. It aims to improve customer protection, incentivise competition, and create a more efficient payment framework within the EU.

As we are now seeing a divergence in the regulatory approaches between the FCA and the European Banking Authority (EBA) – along with the FCA deadline for the e-commerce implementation of SCA-RTS having passed – now is a good time to revisit PSD2's regulatory requirements. It is important to identify the issues that firms are experiencing since SCA became a requirement in September 2019.

PSD2 regulation and compliance

The EBA and the FCA require payment service providers (PSPs) to document, test and evaluate their compliance with SCA technical standards to allow for remote account access and payment processing authorisation. Ensuring that the appropriate controls, oversight and government procedures are in place, firms will need to review their overall security measures and ensure they are ready for enhanced SCA.

Fostering this payment method also requires the use of strong customer authentication solutions that allow for authorisation to be dynamically linked to payments. Providers should incorporate transaction monitoring that will identify unusual payment patterns and keep customers protected against fraud. This would allow customers to identify third-party PSPs in a secure way and provide a better, more seamless user experience to make payments.

Strong customer authentication requirements

The intent of SCA is to establish customer protection tools that take advantage of enhanced security methods against payment fraud. Two-factor authentication (2FA) and secure communication requirements should be put in place to reduce fraud and allow an open network of transaction and account services to flourish to benefit the user experience.

On their own, these requirements are relatively straightforward but the recent changes introduced by the FCA have progressed the overall payment landscape. As a result, some traditional and new payment providers have struggled with the interpretation and implementation of technical measures which comply with SCA. Firms have also had to contend with the mandatory need to audit the implementation of SCA and, should the regulator require, provide an audit report which sets out the firm’s compliance with the security of the measures in place.

Common challenges with PSD2 SCA

Complying with these requirements is important in avoiding reputational damage and regulatory intervention. Developing clear authentication protocols for operational and security risk assessment will satisfy the regulatory requirements and mitigate potential risk. But having conducted a number of SCA and transaction risk analysis (TRA) implementation reviews, we found some common challenges coming to light. These include:

  • identifying the correct payment flows in scope for SCA
  • identifying and making provision for SCA or fraud liability in a multi-party/vendor payment chain
  • identifying the correct legal entities and applicable data for TRA and fraud calculations
  • dynamically linking the authentication code to the amount of the payment and the payee
  • failure to inform the payer of the amount of payment and payee before they confirm payment
  • error messages which inform the customer of which element of the authentication has failed
  • the use of an email address to satisfy the possession element when that address is not linked to a device
  • challenges with monitoring fraud rates when using the exemptions available from SCA implementation.

Whether by oversight or misinterpretation, firms that are processing tens of thousands of payments a day, and being mindful of the FCA’s business plan to make payments safer, do not have the luxury of allowing any weaknesses in their authentication protocols to persist.

This is why it is important that firms are up to date with the regulatory requirements and review their systems to ensure that they are meeting best practice.

What should you do?

As with any large regulatory and infrastructural change, the cost of compliance can be high. The mandatory requirements are an additional factor to already costly operational considerations, and resources or specific technologies may be required to monitor controls on an ongoing basis. This brings an extra element of operational and IT risk to the equation, meaning that firms will have to do a thorough overview of their systems and business operations to integrate PSD2 effectively into their organisation.

You need to maximise the potential for growth by embracing the changes. Notably, there are now more opportunities to increase your market share by leveraging payment initiation and account information aggregation. By getting it right the first time, firms can improve their customer assurance and get ahead on developing progressive systems to embrace payment services.

For leading advice on PSD2 and upcoming regulatory updates for payment service providers, please contact Paul Olukoya.

Implementing ISO 20022: What do firms need to do now? Uncover the key challenges

Making payments safe – a key priority for the FCA

What's next for the sector?