You can use the search function to find a range of UK Finance material, from consultation responses to thought leadership to blogs, or to find content on a range of topics from Capital Markets & Wholesale to Payments & Innovation.
After a succession of shifting deadlines and rule changes to the guidelines themselves, Strong Customer Authentication (SCA) has now been implemented. For many, the go-live date passed with little comment.
Most organisations had proactively taken steps to ensure that their strategies were in place even before the first extension was granted.
Others wisely used the extra time to ensure that they were ready. But the definition of readiness varies from business to business.
The rule changes that occurred along the way gave organisations a variety of options in terms of the authentication mechanisms they could use; some of which are significantly more secure than others.
Weighing up the risks
One of the most significant changes arrived in the 29 November 2021 policy statement. in which the Financial Conduct Authority (FCA) broadened the range of characteristics that could be used for inherence. It allowed for the usage of behavioural characteristics such as spending patterns, in addition to behavioural biometrics.
While this change gave businesses the ability to attain SCA compliance with their existing systems, it’s important to keep in mind what the major driver has been for SCA in the first place: fraud and the rising tide of scams and cybercrime.
Authorised Push Payment (APP) fraud is particularly prevalent, with fraudsters using every technique at their disposal to clear out their victims’ accounts. Because of the role social engineering plays, APP is often hard to detect and if it is hard to detect, relying on passwords and SMS OTPs won’t do much to prevent it. Bad actors are highly adept at bypassing basic security.
This is why many organisations are opting instead to use behavioural biometrics as an inherence factor. In June 2021 the Information Commissioner’s Office (ICO) confirmed that firms may process behavioural biometric data for payment authentication purposes in order to prevent fraud.
Rather than looking at what’s being typed or swiped, behavioural biometrics looks instead at the how ¬– the gestures, speed and pressure that a user unconsciously applies when they’re using a device, and even how they’re holding that device. By analysing and recognising these aspects, behavioural biometrics allows the development of ‘muscle memory’ that identifies a user without compromising their privacy.
When layered with device intelligence – which considers aspects such as location, the hardware addresses and the IP address of a device – users are able to get on with their digital lives in a very secure manner. For fraudsters and scammers, this layered approach makes their unpleasant job infinitely more difficult.
But it brings more to the table than that: there is the element of data enrichment. Taking such an approach gives valuable insights into not only what a user is doing, but how they’re doing it. Rather than looking at each aspect in isolation, these technologies help businesses to understand the context around a customer’s action.
Device binding further contributes to this intelligence and paves the way to reduce our reliance on SMS OTPs. If a customer was previously using the latest iPhone and now appears to be using an older Android phone in a different country, it’s highly likely that there is fraudulent activity taking place.
The more data points that are used to derive these insights, the more data needs to be ingested. And that’s difficult to do without compromising both privacy and performance.
To make this approach viable and effective, organisations should look to orchestration solutions that intelligently and passively look for the right signals at the right times, whilst minimising data ingestion.
Putting the customer first
For SCA, these tools very much highlight the ‘customer’ element. As well as providing customers with extremely robust protection against fraud and scams, it also means a reduction in the amount of friction in the user journeys. Rather than having to authenticate on a second device (which may or not have reception at that point), the user is passively and securely authenticated.
SCA is much more than a way of securing transactions. It represents a sea change for the financial landscape, one where the impact on customers is every bit as important as mitigating losses from fraud. That means that the tools that are used to deliver it need to provide a user experience that’s seamless and smooth and, from the customer’s perspective, clearly secure.
Learn about Callsign’s SCA solutions here
Chris Stephens, Solutions Engineer, Callsign