Across all sectors of the economy, including retail and e-commerce, businesses have changed how they interact with customers when it comes to money and payments. As a result, every company, big or small, can now be viewed as a fintech company. For example, customers no longer think twice about using buy now, pay later at checkout.
As a centre of global finance, the UK has played a unique role in this fintech revolution – the sector raised a record $11.6bn in 2021 in the UK alone – not least when it comes to regulations which have created a permissive environment for growth, investment and innovation. Chief among these has been the Payment Services Directive 2, or PSD2, now known as the Payment Services Regulation (PSR), as well as the UK’s Open Banking.
However, in some cases, these regulations are a double-edged sword. This is because they aim to walk a tightrope balancing the twin aims of increasing innovation and improving security. In sectors like e-commerce, fintech can bring opportunities for growth and new revenue streams, but it can also bring additional headaches, especially for those who are ill-prepared, as we shall see in the case of Strong Customer Authentication (SCA).
The SCA rules set out by the PSR, in practice, will prevent customers from making online purchases with only their debit or credit card details. Ultimately, SCA is designed to reduce checkout fraud by requiring companies to authenticate online customers to make payments more secure with additional authentication methods.
The pandemic has caused huge volumes of retail purchases to shift online, bringing with it a rise in checkout fraud. While these measures will likely reduce fraud, a recent study by the European Banking Authority (EBA) showed that the average fraudulent transaction across the EU decreased from June 2020 to April 2021 by approximately 50% as PSD2 was implemented across the continent.
Prepare now to avoid headaches later on
The story of PSD2 (and its UK offshoot, PSR) has been one of dreams, deadlines and delays. Yet it has also shown us that those who dragged their heels when it came to implementation deadlines faced unnecessary hurdles later on. While those who got ahead of these deadlines, instead of merely complying with these deadlines, used them to hone a competitive edge.
Thankfully, it seems like the majority of retailers and e-commerce merchants have heeded numerous warnings to prepare ahead of the 14 March deadline, where non-compliant transactions will be declined. A lot of this work can be attributed to industry bodies like the British Retail Consortium and UK Finance, including its ‘ramp up’ scheme, which set in place a system of incremental testing to smooth the path to the transition with ‘soft’ transaction declines and gathering feedback from participants, in the run up to 14 March.
These foresighted businesses will likely avoid the worst when it comes to the consequences of implementing these changes that have been seen in other European countries, like checkout abandonment and customer frustration with additional friction.
For those who aren’t prepared the consequences could be dire. Some online retailers have experienced drops in conversation rates of up to 40% in continental Europe where these measures have already come into force.
The additional delays granted by the FCA mean that retailers and the payment services ecosystem should be able to learn from our European cousins and create a seamless experience for customers without drastically reducing conversion rates while adhering to SCA.
Could behavioural biometrics be the key SCA compliance?
Now, time for the practical details of SCA. Many consumers are already familiar with One Time Passcodes (OTP) when shopping online but post-March it will not be enough in and of itself to comply with SCA. This is where the tension between innovation and security comes into sharp focus.
According to the EBA, authentication under SCA must meet two of the following three criteria (as set out in its ‘SCA Opinion’ in 2019). The first is knowledge – something only the user knows, the second is possession – something only the user possesses, and lastly there is inherence – something that is unique to the user.
As a method of authentication, an OTP satisfies the element of possession (the code is sent to a device that only the customer possesses), but no others. So an additional form of authentication is required.
This is where technology may provide a solution. In addition to the usual authentication methods (additional passwords, etc.), one of the most interesting and promising suggestions, supported by the FCA itself in principle and proposed by UK Finance, is behavioural biometrics (classified as inherence by the EBA).
This essentially refers to the ability to use non-verbal and unconscious actions such as certain unique face or hand gestures to verify the credibility of any content. With regards to SCA specifically, the EBA defined behavioural biometrics as ‘keystroke dynamics (identifying a user by the way they type and swipe, sometimes referred to as typing and swiping patterns), the angle at which the PSU holds the device and the PSU’s heart rate (uniquely identifying the PSU)’ in its SCA Opinion.
It’s difficult not to see why this is being proposed. Behavioural biometrics could be a game-changer for frictionless security. By leveraging what the user is already doing in the normal course of shopping or using a device, behavioural biometrics can make continuous authentication a reality. In a way, behavioural biometrics embodies the core of what these regulations are trying to achieve, providing retailers with a way to balance both of its twin aims.
There is much at stake in the coming months. For those retailers and e-commerce merchants who are already well on the way to making the necessary adaptations, 2022 will give them a great opportunity to race ahead of the competition – but for those who haven’t started yet, it may be much more of a scramble to keep their head above water.
Nick Caley is VP of UK and Ireland, ForgeRock