On May 19, 2021, the United Kingdom’s Information Commissioner’s Office (ICO) announced that behavioral biometrics is an acceptable second factor to comply with PSD2 strong customer authentication requirements for processing e-commerce transactions.
To learn more about what this announcement means and how organizations can move forward in their SCA compliance journey, PaymentsJournal sat down with Ruhan Basson, EMEA Director at BioCatch, and Tim Sloane, VP of Payments Innovation at Mercator Advisory Group.
What is PSD2 SCA?
PSD2, or Payment Services Directive 2, is a European regulation designed to improve strong customer authentication (SCA) and secure communication in payments. Released in September 2019, PSD2 added requirements for authenticating online payments that were not present in the original PSD released in 2007.
The PSD2 provision requires multi-authentication using an authentication method from at least two of the three following categories: inherence, possession, and knowledge. Knowledge refers to a PIN or password; possession refers to authentication tokens or the possession of a device that has been proven to belong to a user; and inherence refers to “metrics intrinsically owned by an individual,” such as a fingerprint, face recognition, or voice recognition.
For card-not-present e-commerce transactions, using a one-time password (OTP) via a confirmed mobile device (possession) and behavioral biometrics (inherence) for authentication is a winning combination.
“Where we are at the moment is the industry looking at which factors to deploy within that e-commerce journey, and there’s obvious reasons why you’d want to combine possession and inherence, especially from an e-commerce flow,” explained Basson. “It doesn’t introduce friction and it makes for a nice user experience, meaning you don’t get abandonment rates in that e-commerce journey, which is obviously a big concern for retailers,” he added.
Since PSD2’s release in September 2019, there has been ongoing debate within the industry in terms of how and when to mandate SCA requirements. Originally, organizations were given an 18-month compliance deadline of March 2021.
However, when the pandemic struck, that compliance deadline was extended to September 2021. Even more recently, the Financial Conduct Authority (FCA) announced an additional deadline extension to March 14, 2022. “We’re in a position now where [the industry] really has to be ready because there’s potential serious consequences if you aren’t ready for SCA by next year,” said Basson.
Why the ICO’s announcement matters
The question posed to Information Commissioner’s Office (ICO) leading up to its recent announcement was whether payment providers and banks needed explicit consent from the end-user to process behavioral biometric data as an authentication form. The ICO’s response clarified that explicit consent is not necessarily required to use behavioral biometrics as an inherence factor for SCA. This cleared the way for United Kingdom banks and payment providers to embrace behavioral biometrics technology along their journey to SCA compliance.
According to Basson, the clarification provided much-needed comfort for organizations to fully embrace behavioral biometrics as that second factor needed to comply. “It’s absolutely positive news from the ICO, giving that clarity so organizations can benefit from using… behavioral biometrics as an adherence factor for SCA,” he said.
For Sloane, the announcement similarly came as welcome news. “It’s been slow to reach acceptance, but it’s delightful to see that the bodies that are responsible for identifying multi-factor authentication have finally come to their senses and are ready to accept behavioral biometrics as an authentication method,” he noted.
For e-commerce merchants, the immediate benefit of the passive nature of behavioral biometrics as a form of authentication is that it will not introduce friction to the customer experience, preventing cart abandonment.
It’s not just about compliance
While complying with PSD2 should be an immediate priority for organizations, the overarching goal of preventing fraud cannot be forgotten. “It’s not just about hitting compliance. It’s about reducing fraud via layering in additional fraud detection,” said Basson.
Thanks to modern technology, there are options for organizations to enhance fraud prevention beyond just compliance. BioCatch, for example, can use a customer’s one-time password response as another way to measure the behavioral characteristics of the user. In fact, the company recently announced that it is implementing an offering that will enable financial institutions to leverage behavioral biometrics to facilitate their ability to meet the March 2022 timeline for SCA compliance.
Because of technological developments and solutions like BioCatch’s, it is crucial for organizations to keep tabs on emerging technology in the SCA compliance space. “It’s an evolving space, and especially around behavioral authentication,” explained Basson. “There’s going to be a lot of interesting developments here in terms of the layering and bringing in additional fraud detection with authentication,” he concluded.
Customer experience is also a primary consideration on the journey to SCA compliance. “Banks need to realize that consumers have a range of bank cards in their wallets,” noted Sloane. “If their authentication method drives the customer away and some other bank does it better, making it easier while also protecting the account, they are going to lose that customer.”
The takeaway? While compliance is the focus right now, organizations should also be on top of new technology and innovations that layer additional fraud prevention capabilities without introducing friction to the customer experience.