Over the past few years European regulators have been busy – very busy – drafting sweeping new payments legislation. The result of their efforts, the Second Payment Services Directive (PSD2), will represent one of the most disruptive laws of its kind ever introduced when enacted by Member States before 13 January 2018.
The new rules will have a far-reaching impact on banks, payment service providers (PSPs) and online merchants, particularly in terms of new requirements around customer authentication.
Yet rather than see this as another unwelcome regulatory obstacle, industry players should grasp the opportunity to implement best-in-class risk-based authentication systems. Doing so will help them meet the PSD2 requirements, cut fraud and offer customers the best, friction-free experience possible: a win-win all round.
The PSD2 cometh
The PSD2 springs from a desire to improve consumer protection, boost innovation and foster greater competition in the European Union. It’s a response to a rapidly changing payments landscape in which consumers are increasingly demanding slick but secure click-and-pay experiences, while merchants are looking for new payment methods to support omnichannel retail.
Add to this the new breed of fast-moving fintech firms challenging established banks with innovative services and you have a market demanding updated regulations. That’s never been a problem for the European Commission, which sees effective payments as the key to unlocking the value of a true single market across the region.
So what exactly does the PSD2 introduce? Broadly speaking it will aim to make it easier to use mobile and fixed internet payment services while protecting consumers against fraud and other abuses, strengthening consumer rights and promoting the European Banking Authority (EBA) as the main supervisory body in charge of technical standards. More specifically, two rulings stand out: access to [payment] accounts (XS2A); and strong customer authentication (SCA).
XS2A will force banks to open up customer accounts to third party payment providers (TPPs). They will be able to access payment account info, initiate payments and confirm availability of funds on a specific account for a card payment.
However, as bank account access is opened up to third parties so the risk of fraud increases. That’s part of the reason for SCA, which will mandate all banks and PSPs apply multi-factor authentication to all electronic transactions initiated by the payer – think card payment and credit transfers, but not direct debits and the like.
The problem with friction
There’s one obvious problem with the SCA provisions: multi-factor authentication tends to degrade the payment experience, leading to user abandonment. That’s a major concern for online merchants.
In fact, ThreatMetrix actually worked out that cart abandonment due to user friction can be as much as 10 times more costly than online fraud itself.
Helpfully, however, the current regulatory technical standards (RTS) submitted by the EBA allow providers to be exempted from using SCA if they implement risk-based authentication (RBA) and transaction monitoring systems, and the transaction itself is rated “low” risk.
To rely on this exemption, PSPs must implement transaction monitoring which operates in real-time and verifies each transaction against anomalies in: spending patterns; payment transaction histories; location of payer and payee at time of purchase; and previous use of device/software.
The good news is there are advanced fraud detection and transaction monitoring systems out there with exactly what you need to meet these exacting standards.
Payments providers need to seek out partners which can combine detailed dynamic behavioural data to establish an accurate digital identity of each and every user. The most effective of these systems collect and process global shared intelligence from millions of daily consumer interactions – including logins, payments and new account applications – to build up these digital identities.
>See also: Top 8 ways to fight mobile banking fraud
Transactions can then be effectively risk scored according to the PSD2’s current RTS and allowed through if low risk without the need to resort to multi-factor authentication.
The bottom line is that the PSD2 is coming, and is set to shake-up the payments industry like never before. Online merchants and their PSPs need to start thinking clearly about how best to comply with the new provisions in a way which won’t affect the bottom line. Best-in-class risk-based fraud solutions offer one important piece of the puzzle, keeping fraud and friction at a minimum and the regulators happy.
You can find out more about PSD2 and how to tackle the challenges surrounding the legislation by downloading this whitepaper from ThreatMetrix.
Sourced by Alisdair Faulkner, chief products officer at ThreatMetrix
Nominations are now open for the Tech Leaders Awards 2017, the UK’s flagship celebration of the business, IT and digital leaders driving disruptive innovation and demonstrating value from the application of technology in businesses and organisations. Nominating is free and simply: just click here to enter. Good luck!