.svg)
Although strong customer authentication (SCA) rules are a good thing for reducing fraud, they will need to continue being looked at as criminals become more effective, a panel at the EU’s financial education conference agreed.
One year into SCA compliance, and at the dawn of the revised Payment Services Directive’s (PSD2) review, payments players are unlikely to be too enthusiastic about the prospect of the rules changing again.
However, at the European supervisory authorities conference on building better financial education among consumers in the EU, there were mutters that this may be necessary.
“Two-factor authentication is very important,” said Maria Lucia Leitão, head of banking conduct supervision department, Banco de Portugal. “I’ve been trying to get attention even before it became mandatory.”
The experience that the central bank is having in its assessment and analysis of complaints made to it about financial institutions compliance is that SCA is not enough, she warned. “When consumers give their credentials, they get deceived.”
“We have examples of complaints where the main reason for the fraud is that the consumer gave all the information to the scammer, which means we need to educate consumers, raise awareness to consumers to mitigate those risks,” she said, calling for better digital financial literacy.
If the consumer is convinced by some attacker that they need to provide credentials then it does not help, that is for sure, agreed Martin Schmalzried, a member of the European Banking Authority’s (EBA) banking stakeholder group. “The one issue is having two-factor authentication on the same device. If the device is compromised, then it is useless.”
“If you lose your phone, you do not have it protected, and if you have your two-factor authentication app on it, that’s problematic,” he said.
Yet, others were more optimistic about the impact that SCA is having in the present.
“Measures to aid security should always be balanced with the ease of use, so I absolutely believe that SCA was the right thing to legislate, to make obligatory, but I also think that it was good that the EBA gave merchants a little bit more time to implement it,” said Wim Mijs, chief executive at the European Banking Federation.
They were not ready, he said, and so needed to communicate with their clients. “In my view, what is good about SCA is that it puts a double factor that makes you think again but also on more than one device.”
Data has shown that SCA is having an impact on reducing fraud as well, he said, as evidenced by the recently released report from the EBA. “That is a very important step forward.”
“If we go forward and think of future legislation, we will always need to come up with new and agile approaches to make it, on one hand, easy for the consumer and easy for the merchant, but also changes to the reality of the market,” he said.
For example, what is being seen is that online fraud becomes ever smarter and is very agile in its new methods, he warned.
“The policy rationale behind SCA was really rooted in the need to increase security and to reduce fraud,” said Fiona Van Echelpoel, deputy payments and infrastructure director at the European Central Bank.
Discussing the EBA’s report, she said: “What we see in that report is that the figures for when transactions are validated without SCA show that the fraud rates are five times higher.
“This is quite telling, so I would say that we are starting to see the investment in SCA is paying off, and the benefits are coming to consumers.”
