SCA enforcement deadline extension is a valuable opportunity for businesses

Recognising ongoing challenges facing the industry to be ready by the 14 September 2021 deadline - and to ensure minimal disruption to merchants and consumers - the FCA last month extended the SCA enforcement deadline for another six months to 14 March 2022.

Hot on the heels of the extension, further welcome news came in the shape of the ICO's confirmation that behavioural biometrics can be used for PSD2 SCA, as long as vendors and card issuers adhere with the wider requirements of privacy legislation. As long-time supporters and advocates of behavioural biometrics and privacy, it was a direction that was warmly welcomed by Callsign.

Beyond fraud detection

There are good reasons why behavioural biometrics is the industry recommended approach to SCA - a position supported by the Financial Conduct Authority (FCA). Since it relies on inherence factors that are unique to the user - how they swipe, type or hold a device - it's an method that is extremely difficult to circumvent. And when combined with possession factors, it brings rigorous levels of security to multi-factor authentication (MFA).

What's more, behavioural biometrics can be gathered from almost every device on the market. There will of course be some edge cases, where users are forced to authenticate via hard tokens or other methods, but the vast majority of a card issuer's customer base will be able to use the same authentication process for Card-Not-Present (CNP) transactions.

Seen through from the viewpoint of detecting and preventing fraud - the lens through which behavioural biometrics is most commonly viewed - this alone is a strong argument for the technology. But as an authentication mechanism, behavioural biometrics brings a whole range of tangible benefits to both the business and the customer.

As a passive authentication method, users can be authenticated invisibly, bringing fluidity and accessibility to the customer journey. It has clear advantages over the use of knowledge factors such as passwords or PINs which, as well as increasing the risk of fraud, have the potential to introduce friction in the payment journey.

That's an important differentiation. Fraud detection and authentication - whilst interlinked - are two different things. Using behavioural biometrics to detect fraud is a given, but organisations should also consider a vendor's ability to positively identify the user during the vendor selection process. Otherwise, they may find themselves needing to opt for an additional vendor to deliver user authentication. 

More assurance from less data

And there is another factor to consider. In line with the ICO's response, in order to place reliance on the substantial public interest condition organisations must ensure the rationale for data processing is well-considered and the specifics of the processing are justifiable. It's also crucial that a behavioural biometric solution satisfies all other GDPR requirements.

Data minimisation and transparent data processing are key considerations here. Consumers are increasingly aware of where and how their data is collected and used, and will be expecting businesses to be doing so only where it is necessary.

This highlights the advantages of event-based authentication rather than continuous methods.  Consumers will understandably view an approach that continually monitors their behaviour and interactions as a form of surveillance. That approach compares unfavourably with solutions that only gather and analyse data points when it's absolutely necessary. This also aligns with the FCA's expectation that any solution implemented does not have a negative impact on users.

Changed priorities ahead?

There are several moving parts to consider. Implementing behavioural biometrics is a given; the important consideration is now for organisations to do so in a manner that will satisfy all parties - their customers, the FCA and the ICO. That means adopting a solution that prioritises privacy and data minimisation, as well as reducing friction in the user journey through passive, positive identification.

Any deadline change of this magnitude naturally sends ripples across the industry. The window for SCA implementation may now be closing a little more slowly than previously, but for any organisation operating in a fast-moving world, that extension will pass swiftly. Issuers are advised to use that time wisely, and to look holistically at their systems, authentication technologies and strategies.

On 1 July I?ll be speaking on the upcoming UK Finance webinar to highlight the opportunities that the SCA extension and behavioural biometrics can bring to any organisation.

Registration is free - sign up now.

Area of expertise: