Ville Sointu, head of emerging technologies at Nordea, highlights that the intent of GDPR was “fantastic. It provides better data protection for the citizens of the European Union and beyond and therefore, asking companies to be more diligent with personal data and giving customers more control.” However, despite these intentions, there are downsides, and these have manifested themselves as friction.

“For most of us, we are now seeing an endless amount of pop ups about cookies and GDPR consent has effectively corrupted the rewriting of the user experience that was occurring,” Sointu says.

This is an extract from 'The Future of Identity 2020: Technology, Security and Regulation Driving Trends of Tomorrow', a Finextra report, sponsored by OneSpan. 

At the end of 2019, the European Banking Authority (EBA) pushed the deadline for the migration to Strong Customer Authentication (SCA) back to 31st December 2020, extending implementation of the new rules by 15 months. As a result of the pandemic, the UK deadline has been extended further to September 2021.
Initially scheduled for introduction in September 2020, the EBA opted to delay due to the complexity of the requirements, a lack of preparedness by financial institutions and the potential for a significant impact on consumers.

Further to this, despite calls to reassess in light of the Covid-19 crisis, the European Commission’s refusal to further delay the introduction of SCA rules for online transactions could cost merchants up to €90 billion in lost sales for 2021 alone, according to payments consultancy CMSPI. 

CMSPI says the rules - which demand a two-step verification process for all online purchases over €30 - will add complexity at the checkout and make life harder for retailers after what has already been a tough year. The consultancy claims that the extended deadline for the UK - until September 2021 - is set to prevent €17 billion in disruption to the economy, with “only” €7 billion in failed transactions.

In Europe, merchants could face up to €90 billion in losses as they rush to implement what may be “suboptimal solutions,” argues CMSPI. Toby McFarlane, head, approvals and fraud, CMSPI, said: “This is hugely disappointing news for European merchants. Not only do they now have limited time to prepare, the knock-on effect of approval rates, and therefore lost revenue, is potentially staggering.”

There was concern about the failure to agree upon a harmonised approach across the European Union, but the new deadline urged domestic market regulators to focus on monitoring migration plans rather than pursuing enforcement action against noncompliant payment services providers.

Following the extension, JPMorgan executive director of production solutions Brian Gaynor also highlighted that while it may be tempting to relax, companies must “onboard new SCA implementation systems early to iron out any kinks and ensure they are fully compliant in time for the revised deadline.”

This transition period may be a golden opportunity, but time is swiftly running out for companies that are still unprepared. Compliance is merely the first stage of full adoption as banks must ensure that SCA does not negatively impact usability through over-implementation and whether authentication by text message, for example, would add friction, or be secure enough.

Strauss believes that while the regulator is now “catching up to the reality of the market, it is also becoming the biggest innovator.” However, what this does not mean is that when a new regulation is put in place, “there are a myriad of new functions, features and solutions that can be offered to customers.” Banks need to comply and organise themselves so that the customer journey is frictionless – but “sometimes there will be remaining friction and that’s a fact of life in highly regulated businesses.”

Sointu continues: “What we would like to see from a from a regulatory standpoint is for them to be less focused on technical details of the implementation and look at the intent and measuring the outcome, and then adjust accordingly. Otherwise we will always be playing catch up.”

SCA through 3DS 2.0

Before attempting to comply, financial services providers must ensure they are educated and fully understand what Strong Customer Authentication is. A recent report by Stripe found that 73% of consumers are not aware of the new authentication requirements and 74% of Generation Z shoppers have abandoned an online purchase at checkout due to a bad experience.

Despite this evident increased friction, some may argue that friction is unlikely for the digital consumer of today who is well versed with Two Factor Authentication (2FA) and as online shopping may be carried out on mobile devices, SCA may not be a problem and, in the long term, may reduce fraud after remedying the fragmented nature of payments and ecommerce..

An approach that is being considered is an upgrade to EMV Three-Domain Secure (3-D Secure, or 3DS) – a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) ecommerce purchases, which with an additional security layer helps prevent unauthorised CNP transactions and protects the merchant from CNP fraud.

3DS 2.0, the standard introduced by EMV and major card schemes, will tackle authentication with data, biometric authentication and an improved online experience. Combining software development kits (SDKs) with data sharing application programming interfaces (APIs), information about customers can be shared between banks and merchants and used to make better risk decisions, giving businesses an authorisation uplift.

Conformity with requires active approval from the consumer, which can be applied with a two-factor authentication code that is sent via email or SMS, or an app-switch to an issuing bank application which the user can use their fingerprint or face to authenticate with biometrics, which would reduce abandonment rates seen in older solutions based on the static password.

While the biggest driver for businesses and banks to implement 3DS 2.0 is because of the enforcement of SCA at the end of the year, two core components of integration to consider are the front end libraries that collect and transmit device information and display authentication flows and the server, which exchanges information and requests authentication.

Successful onboarding

In some parts of the world, banks have worked with the government and third party vendors successfully to create federated digital identities, linking an individual’s electronic identity and attributes that are stored across multiple distinct identity management systems and have solved the issue of ‘proving we are who we say we are’ by giving their citizens an online identity that is recognised by secure authorities.

Once tried and tested for usability, scalability and has established itself as a strong proposition, banks can begin to reduce onboarding costs by partnering with third party players (TPPs) that use 3DS 2.0 and create a targeted, personalised identity solution, pipping new entrants to the post. Federated digital identities also remedy the multiple password problem because only one needs to be remembered. Additionally, from the service provider’s perspective, the onboarding process becomes a simpler process because receiving customer information that has already been verified by banks makes it difficult to commit identity fraud.

However, many digital identity schemes have had a lack of uptake because consumers have been forced to endure a separate onboarding process in some cases as a result of increased data protection, meaning that traditional Know Your Customer (KYC) and Anti Money Laundering (AML) requirements become largely administrative and cumbersome for the customer as ultimately, several proofs of identity are required.

Due to increased data breaches and identity fraud – and the subsequent heightened news coverage of them – there continues to be a reluctance to sharing data across the world, but the benefits of a digital identity solution are numerous.

Having a holistic identity authentication solution that runs across business lines, siloes and departments reduces the cost of onboarding in terms of process and speed, and also generates a stronger overall view on the customer, in turn leading to better understanding and hence, a more bespoke service.

The coronavirus lockdown spurred widespread adoption of digital identity technology in Canada as citizens needed to be verified to get emergency aid from the government – a shift that could become permanent, as one American Banker article explains.

“During the lockdown, Canadians couldn’t show up in person for bank loans or government benefits. The only way they could apply for coronavirus-related government aid was by remotely logging into their Revenue Canada accounts. However, they had to prove they were who they said they were.”

The article continues: “One option was to apply for government services security credentials to be posted to them, but, because of the lockdown, these took several weeks to arrive. The other alternative was to use a digital ID online.

“Unsurprisingly, many applicants opted for this method, leading to huge demand for two Canadian digital authentication platforms, Concierge from SecureKey Technologies and GCKey from 2Keys. Both Concierge and GCKey provide single-sign-in digital authentication for accessing Canadian government services and benefits.”

Remaining ahead of the game

Thirty-eight per cent of customers drop out of the onboarding process when applying for a new product or service because of frustration with paperwork or the volume of information required, Deloitte research found. Further to this, 52% of consumers surveyed said that they would be more likely to complete a new account application with a bank if the entire process was online.

A similar figure highlighted that an online process would encourage them to take additional services from the bank, resulting in traditional players having the opportunity to retain and expand their relationship with existing customers, rather than lose them to fintech providers that boast a smooth onboarding process.
If banks do not invest in customer experience, they will simply go elsewhere. While financial services providers have somewhat improved their onboarding process, customer expectation has shifted because of these new financial players, but also because they are now accustomed to slicker interfaces elsewhere on services that Big Tech companies offer.

Despite the European Union’s eIDAS regulation that helps verify the identity of individuals and businesses online or the authenticity of electronic documents, digital identity is not yet universal across Europe, but banks will be the trusted party to change this with the help of Open Banking initiatives and PSD2.

Due to this increased permeation of technology in society, it could be said that a great identity solution is one that is invisible and embedded in the system that customers are accustomed to using, reducing friction.
For banks, having secure front-end verification minimises the risk of authenticating bad actors; Boston Consulting Group predicted that the identity authentication and fraud solutions market will boom from $12 billion in 2018 to a staggering $28 billion in 2023.

Click here to download 'The Future of Identity 2020: Technology, Security and Regulation Driving Trends of Tomorrow.'