The most frequently asked question I get from banks is "What do we need to think about if we want to move away from passwords?" So I've taken the liberty to create this write-up, with the goal of giving some guidance to banks that want to implement a one-time password strategy (strong authentication). 

Step 1. Analyse your data

Ask questions such as: How many emails and mobile numbers do you have? How up-to-date is this data? What processes can you start now to make sure the mobile number or email is current?   

Advice: Implement or optimise a risk-based approach before launching OTP (one time password). Authenticating large volumes of transactions with OTP can be expensive and increase the failure risk of the transaction. Ideally no more than 4-5% of transactions should need additional authentication with a well-performing analytical model in the background profiling the cardholders’ behaviour and device.    

Step 2. Map out your desired customer journey 

Ask questions such as: What do we want to do for DDA (Disability Discrimination Act) customers? What's our fall-back position? Do you even want any fall-back? Will customers like OTP? What if they change their mobile number? What security steps to implement around change of details? 

Advice: The benefit of OTP is there is no enrolment process, which is a better experience for customers. Whilst there's time, before strong authentication is mandatory, it would be wise to run tests; for example, take small groups of cardholders and do some dry runs before a complete roll-out. Think about whether or not you can build OTP into your online banking App. Push notifications have a much lower cost, building authentication into an app that the cardholder already trusts and knows is a good idea. It's also very important to keep authentication consistent across different portfolios i.e. credit, debit and online banking. 

Step 3. Use this opportunity to think about linking systems and enriching your knowledge about the cardholder 

Ask questions such as: What data could be combined to make a better decision about this transaction? Create feeds in-and-out of other decisioning systems...  

Advice: Setting up APIs is quickly becoming the norm; cloud-based systems allow for easier integration. This is pushing more and more technology vendors to expose APIs for the purpose of allowing systems to share data. Start this discussion with your provider and consider all of the various possibilities.  

Step 4. Timeline to implement 

Planning items:

• Frequency of updating 3D secure vendor regarding cardholder change of details real-time or batch overnight.
• Analyse existing challenge rates to predict OTP volumes for a better estimate of costs. Whilst predicting these volumes, think about how those volumes are likely to grow over the next three years to avoid unexpected costs. 
• Define merchant screens and design suitably-branded OTP messaging.
• Ask your 3D secure partner to help you scope requirements and provide a project plan to help you understand what's involved from both sides.
• Look at your options such as: Push notifications, SMS, email, biometrics etc. Consider a multi-approach to authentication. Explore and anticipate the changes to the 3D secure protocol (3D Secure 2.0). 
• Allow extra time to test and analyse success rates and abandonment. Ask customers for their feedback.
• Optimise your risk-based approach; look at the maximum acceptable allow rate you can implement with the most acceptable fraud rate. The fewer transactions you affect without any kind of challenge, the better. 
• 3-6 months is a reasonable timescale for implementing OTP. The most difficult step for issuers is deciding what type of OTP to choose. Cost is a consideration - OTP should reduce fraud liability on transactions processed through 3DSecure by around 70%. The business cases I've reviewed show a very positive return on investment, in some cases around 10 times return from the fraud reduction alone. If you take into account reduced calls to reset passwords etc. the return could be greater. 

Step 5. Partner with a flexible provider that has your business interests at heart. Authentication is evolving.... You need a partner that is progressive and creates solutions that will enhance your cardholder's experience. 

Ask questions such as: How much control and flexibility does the system provide? Look at your authentication partner's portfolio; look for a provider with a wide range of options, allowing you to adapt if needed. Fraudsters will find new ways to compromise security, at which point you need a partner who can help you solve your security challenges fast.   

Advice: Think about selecting a partner that has an agile approach to innovation. Speed is everything in the next phase of our financial revolution. PSD2, open bank APIs, and 3D Secure 2.0 are the building blocks to the next generation of banking. Make sure you are in a position to adapt to the market. PSPs and customers will be a formidable force and they will likely dictate the customer journey. Those that are in a position to capitalise quickly will reap the rewards.