July 3, 2020

As banks and other financial institutions continue to prepare for Strong Customer Authentication (SCA), the classic paradigm of security vs customer experience continues to loom larger than ever.

While there is no doubt that security and compliance must be treated as a top priority for the industry, we find ourselves in a world fueled by a new generation of consumer expectations, therefore creating a compliant, yet user-friendly SCA strategy, carries significant importance.

By now, many institutions have discovered that implementing SCA on the mobile channel is relatively straightforward when provisioned through a mobile app. However, it is important to note that traditional online banking transactions through mobile browser, laptop and desktop must not be forgotten. A recent piece of analysis showed 33% of online banking traffic is initiated through browser-based interaction, and on top of that as much as 25%-30% of online banking users do not use their banks mobile offering at all. Some of these users still prefer the familiarity of browser-based banking whilst some do not have a smart device that is compatible with their banks mobile app.

Here then sits the problem: how do banks and financial institutions continue to provide a positive user experience on browser for their customers whilst ensuring SCA compliance.

With inherence factors such as facial recognition an unlikely solution in the short term, banks are opting for a combination of possession and knowledge factors to satisfy the ‘2 out of 3’ core SCA requirement.

So whilst a password, pin or similar will undoubtedly be used widely as a knowledge factor, how do banks satisfy a possession factor? Many are turning to SMS as a method of compliance, which whilst technically compliant creates many meaningful complications from a perspective of security, cost & experience:

Security – SMS is well known to be susceptible to common fraud techniques such as SIM swap, powered by evermore frequently occurring data breaches, and social engineering. Some would therefore argue that choosing to use SMS as a possession factor is merely a tick box exercise given the whole concept of the SCA regulation is to increase front door security.

Cost – Typically, the cost of a single SMS ranges from 2p for a standard service, to anywhere up to 4p if you wish to add basic fraud checks such as SIM swap. This scaled across an entire online banking user base who are interacting with their banks online now more than ever, means costs are certainly non-trivial.

Experience – Successfully transitioning an online banking user journey from input of a user id and password to SMS OTP will prove challenging as consumers continue to demand an experience that works seamlessly irrespective of the devices they use, their locations, and the channels they choose. Adopting SMS OTP and forcing customers to multi-task whilst adding latency makes meeting this obligation difficult. On top of that the standard industry completion rate for SMS OTP is around 85%, which poses the more difficult proposition of what to do with the 15% of users that cannot complete it.

So what is the alternative: browser based device-binding technology is also an acceptable form of possession under SCA regulation. Technologies like LexisNexis Risk Solutions Strong ID use public key cryptography to establish a cryptographically backed strong device identifier. This means the user’s device can be bound to their online banking user profile and used as a compliant possession factor. The benefits are clear:

Passive, frictionless authentication – Once bound, a device can be verified passively in real-time via an API call that is invisible to the user, meaning they can simply apply their password as a knowledge factor to move through a SCA compliant, yet frictionless, login journey. This completely negates for friction-adding step ups such as SMS OTP and maintains a quick and seamless experience for the user. Research at large banks in the UK has also shown that device recognition is the preferred method of authentication when it comes to this regulatory change.

Risk based approach – Users of the Strong ID service can still expect the same risk management capabilities they would get when using device identifiers in a more traditional fraud detection scenario. This means different treatments can be applied to authentication based on configurable parameters such as RAT detection, malware detection, location anomaly detection, global blacklist comparisons, and more. Implementation of risk based device-binding authentication can be developed to meet specific requirements, meaning banks can work within their own risk appetite when it comes to balancing authentication and experience.

Here is an example of how Strong ID in wider terms can work. The highlighted (red) journey demonstrates how a journey using device-binding as possession and password as knowledge would flow:

LexisNexis Risk Solutions are already working with many banks in EMEA to implement such an approach:

  • A tier 1 bank in the UK has reduced the need to invoke SMS OTP in over 85% of login attempts on browser based internet banking
  • Another tier 1 bank in the UK will reduce the need to invoke SMS OTP in over 78% of login attempts on browser based internet banking
  • A global payment service provider has removed the need to step up 65% of their customer logins attempts on browser based internet banking

So as financial institutions continue to race towards the deadline it’s important to remember that they don’t have to choose between satisfying the regulator and their customers, it is possible to do both. Customer demand for continued seamless experience is not going to go away, and will only increase as technologies continue to evolve. If financial institutions get it wrong, it could significantly disrupt their user base, so getting it right the first time is paramount. In doing so, banks can ensure they protect their client base and future online platform growth.

If you are interested in hearing more about how LexisNexis Risk Solutions can support your SCA strategy, please contact us.