Are your customers ready for PSD2?

19 July 2017

Ensuring customer payment transactions are secure is one of the primary objectives of the revised Payment Services Directive (PSD2).  The European Commission (EC) hopes to do this by requiring payment service providers (PSPs) to apply Strong Customer Authentication (SCA) as a security measure. But the EC also wants to encourage customer convenience through innovation. This latter objective will resonate with banks and retailers which in recent years have invested significant effort to meet consumer demands for a quick and seamless payment experience. But the practical reality of applying SCA could erode the efficiency and convenience customers have come to expect in their day-to-day payment transactions.  SCA comes into effect 18 months after the implementation of PSD2 on 13 January 2018. Between now and then, credit institutions must consider how to achieve effective security controls without sacrificing customer convenience.

SCA is a two-factor authentication process for customers to make online payments securely. Where SCA is applied, a customer will be required to authorise their payment transaction using two out of three 'elements': knowledge (something only the payer knows, such as a password or PIN), possession (something only the payer possesses, such as a card reader or smart device) and inherence (a characteristic of the payer, such as a fingerprint). Once two of these elements have been invoked, the credit institution will issue a one-time authorisation code (OTC) so the customer can complete their transaction.

Faster payments?

The SCA process creates a difficult trade-off between security and customer convenience. Some customers may be familiar with using OTCs for their online banking transactions. But depending on the amount of the transaction, SCA could make OTCs a more common feature of online retail transactions. One-click payments will be no more, so unless a transaction is exempt a now relatively easy payment process could become more cumbersome. Customers may also balk at the frequency with which they will have to use OTCs – possibly within the same online banking session. PSD2 states that authentication codes can only be used once in relation to each transaction. This means if a customer wants to check their balance and make a payment to a new payee in the same active session, they’re likely to have to use more than one OTC.

And even using Third Party Providers (TPPs) - which lie at the heart of the innovation and convenience objective by providing consumers with alternative payment and account management options - present potential bottlenecks. Before granting access to TPPs to a customer’s account, credit institutions may need to check the TPP’s status as a regulated PSP. Further checks may be required to verify whether the TPP is on the customer’s list of trust beneficiaries and if not, the credit institution may need to go through the authentication process with the customer to authorise the payment.

Even though the EBA has included a number of exemptions to the draft regulatory technical standards (RTS) on SCA to minimise when the process is used, including where transactions are considered to be low risk, all in all, customers are likely to find previously speedy transactions subject to a more drawn out process. Customer convenience objective fulfilled? Possibly not.

What do PSPs need to do?

But in the absence of new exemptions addressing these anomalies (unlikely), PSPs will need to consider how to minimise the impact of changes to the customer journey. Firstly, PSPs may need to undertake a review of current processes – what happens now and what will change? SCA will no doubt require upgrades in technical capabilities and PSPs will want to invest in fraud monitoring capabilities to take full advantage of the risk transaction exemption. A product review may be necessary to consider whether any other exemptions apply.  PSPs will then need to build any changes into systems, controls and procedures including customer care and complaints. And PSPs will also need to communicate changes to customers either via revised contractual agreements or general communications.

The final text of the RTS is yet to be agreed, so much remains in the air. What is clear is that SCA presents PSPs with serious challenges in terms of how it will work in practice, development requirements, cost and customer impact. With the clock ticking, PSPs have very little time to find the answers to these big questions.

Our webcast on 5 July 2017 discussed how both UK and European financial services firms are gearing up for PSD2 and explored the strategic opportunities presented by the Directive. Please click here to view our webcast.

Jonathan Turner | Partner
Profile | Email | +44 (0)20 7 213 5565
Megan Charles | Manager
Profile | Email | +44 (0)20 7804 0904
Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.