The Financial Conduct Authority’s (FCA) decision to allow a phased 18-month implementation of Strong Customer Authentication (SCA) for the UK may bring a sense of relief for those not yet prepared for the original 14 September 2019 enforcement date. But in terms of fraud, it might just make a problematic situation worse.
Under the umbrella of the EU’s Second Payment Services Directive (PSD2), SCA is intended to
reduce payment fraud by introducing more stringent methods of user identification, including passwords, mobile authentication, and fingerprint scans.
This is a well-intentioned move, especially given fraud losses on UK-issued payment cards totalled over £670 million in 2018, up by almost 20% from the previous year. However, the limited regional scope of the directive along with its sole focus on transactions has already raised issues for retailers. The fragmented implementation period that follows the FCA delay will only exacerbate these concerns.
The regional challenge: SCA your way
Because PSD2 and its associated SCA rules only apply to transactions that take place within the EU, it was always going to cause disparities between the EU and the rest of the world. This gap will inevitably increase fraudulent activities in other regions such as the Middle East, South-East Asia, and the US, presenting a real issue of cross-border fraud for global merchants.
The FCA’s recent decision introduces further complexity. Other European countries may also delay SCA implementation following the European Banking Authority’s opinion that additional time could be allowed on an exceptional basis to avoid negative consequences. The FCA’s 18-month delay will almost certainly put the UK behind the rest of Europe, even before taking Brexit complications into account, meaning the country could well become more attractive for payment fraudsters.
Fraudsters take the path of least resistance
The regional remit isn’t the only limitation of SCA requirements. Fraudsters will always aim for maximum gain with minimum effort and are adept and sophisticated enough that they will evolve the nature of their attacks in line with regulatory changes to find the path of least resistance. With PSD2 focussing solely on the point of transaction, other types of fraud such as account takeover (ATO), will become increasingly common and fraudsters are likely to expand the sophistication by which they leverage these types of attacks. This type of fraud involves criminal hacking into a customer’s account and using stored information for their own benefit. This could include making purchases using saved payment details but changing the delivery address.
Loyalty fraud will also likely increase with the implementation of SCA as loyalty points aren’t recognised by the regulation, which only increases the vulnerability of balances rarely checked by users with the same diligence as a cash account. More complex types of fraud, such as collusion in online marketplaces and identity theft used for private label card applications, are also areas where fraudsters could find vulnerabilities to exploit.
A holistic solution protects merchants now
With the uncertainties surrounding PSD2 and SCA, retailers shouldn’t delay taking proactive measures. They should invest in broad fraud prevention now and prepare their systems for PSD2 compliance, regardless of whether delays to implementation may occur. Retailers need to guard against evolving threats and ensure a seamless transition for consumers. Likewise, they need a holistic solution to fraud, which will work across regional borders and protect the entire customer journey, not merely the point of transaction.
Retailers may well be reluctant to implement SCA before it is absolutely essential, as accepted solutions such as 3D-Secure (3DS) are notorious for introducing friction into the buying process and deterring customers from completing their purchase. But retailers can minimise both risk and friction. There are SCA-compliant solutions available that automatically evaluate the trustworthiness of all transactions, regardless of region, and route good actors through the path of least possible friction, minimising fraud, and optimising the customer experience.
The staggered implementation of SCA is going to create significant cross-border chaos for businesses. Multi-national retailers can mitigate this risk by implementing a comprehensive, and globally effective, anti-fraud solution now. This will allow for the most seamless transition into the new regulatory regime.
Author: Michael Reitblat, CEO and co-founder, Forter
