Strong Customer Authentication (SCA) lies at the heart of the revised Payment Services Directive (PSD2) and is likely to impact significantly on banks and financial organisations. Banks are required to provide a more robust framework for their online banking and electronic payment services to ensure added security for customers, and to comply with the Fifth Anti-Money Laundering Directive.
More consumers are now using online banking facilities on a daily basis, making it essential to keep up to speed with the customer and repeatedly verify their identity in a fast-paced digital world.
PSD2 will help deliver a better customer environment for banks by strengthening the requirements on authentication processes when making these payments, which will help reduce account takeover and other malicious activity.
Inevitably additional authentication will create extra friction during the customer journey and banks need to overcome some of the barriers and risks that currently hinder their verification processes.
For example, many banks rely on authentication systems such as text messages which are open to interception and are vulnerable to security attacks. These systems were not designed to be used as a part of secure customer authentication and instead have been retro-fitted to form a part of the customer journey.
When banking methods and technology aren’t aligned it creates pockets of risk that SCA is designed to mitigate. This risks banks having to overhaul their IT infrastructure completely to replace legacy systems and bring them in-line with the digital age.
The essential component to improving the customer journey and mitigating risk at the same time is the source of trusted identity that customers use for all their banking activities. This once again brings the debate for a national Digital ID scheme to the fore.
A Digital ID scheme has significant potential to deliver in two key areas – security and simplicity. It would help to deliver a more seamless journey for customers without compromising on security.
Combining a public (credit, ID&V etc.) and private (biometrics, device etc.) profile would create one unique Digital ID for an individual which can be presented to financial organisations either in person – by showing the mobile device – or by sharing select parts of a digital profile through a secure transfer mechanism.
New to market challenger banks are embracing the digital age and digital identity and as the market matures, other banks could be in danger of being left behind if they don’t keep pace with a new wave of authentication and user experience.
It seems clear that digital identity helps mitigate some of the risks posed by using legacy authentication methods to satisfy PSD2 requirements. The question remains as to whether a central digital identity scheme would be driven by either the public or private sector.
Gov.uk Verify has represented the UK Government’s attempt to build a digital identity and has been deployed with mixed results.
Whilst the scheme is robust in authentication it has experienced significant delays, spiralling budgets and a challenging user experience when signing up. Furthermore, funding was ceased last year by central government.
Over and above Gov.uk Verify, consumer trust and confidence in our current government has been heavily eroded. In the 2019 Audit of Political Engagement, opinions of the system were at their lowest point in a 15-year audit series, with 72% saying the system needs ‘quite a lot’ or ‘a great deal’ of improvement. (1)
For a Digital ID scheme to work it needs to be easy to authenticate and trusted by consumers. We are currently living in a world where consumers are more inclined to trust financial institutions with their data than the government itself. A recent survey by nCipher Security suggested consumers trust banks more than any other organisation when it comes to data privacy and security. (2)
If a Digital ID scheme is to be implemented, it needs to be driven by the private sector, as opposed to the Government, to reflect consumer confidence and ensure adoption on a national scale.
PSD2 and SCA provides a great opportunity for the financial services sector to work together and begin to create a national digital identity.
It is inevitable that a Digital ID scheme will happen anyway and the data suggests that banks are best placed to create a scheme that provides positive customer experiences whilst ensuring data privacy and security standards are upheld.
The alternative is ominous. Customers are already using versions of Digital ID to verify their Apple and Facebook accounts and the transition to a Digital ID scheme to benefit the customer is already happening. The question remains – where are consumers going to place their trust?
This article was published in issue 10 of Connect Magazine from Synectics Solutions. To download the full copy visit: www.synectics-solutions.com/our-thinking/details/connect-edition-10-is-vulnerability-a-much-wider-problem-for-uk-financial-services
1. https://www.hansardsociety.org.uk/publications reports/audit-of-political-engagement-16