Other parts of this series:
In my previous post, I explained how biometric authentication’s time has come, and that an authentication hub is a viable response for addressing the challenges of today’s increasingly complex security environment. Now I’m going to set the deeper context for moving in this direction.
Multi-factor authentication: a regulatory requirement
In 2007, the Payment Services Directive (PSD) created a single market for payments within the European Union (EU), which included regulation covering credit transfers, direct debit transfers and cards.1 PSD2 is a follow-on effort in response to the significant digitalization of the European economy since the implementation of PSD.
In this digitized environment, new entrants to the market have provided new services that fall outside of PSD and the EU-regulated framework. PSD2 appears to be seeking to make payments more transparent and safer, while encouraging innovation and a more competitive marketplace.
The main changes under the PSD2 framework include:
- The acknowledgement of third-party payment service providers (TPPs) who will be able to access customer accounts via application programming interfaces (APIs) to make payments on behalf of customers and provide an overview of their various payment accounts through a single interface
- Increased transparency into the cost details for a single transaction
- Innovation promotion within the payments space
Additionally, strong customer authentication (SCA) is bringing more robust consumer protections that combine security elements with authentication element requirements, which are categorized as:2
- Knowledge—those elements only the user knows, such as PINs or passwords
- Possession—those elements only the user possesses, such as a mobile device or token
- Inherence—those elements integral to each user (and read by devices and software), such as biometrics (fingerprint, face, etc.)
Under this framework, banks that fail to apply SCA cannot require payers to bear any financial consequences unless the payer has acted fraudulently. Banks may also be required to compensate other payment providers, or even intermediaries, “for any losses incurred or sums paid.”3
The trends behind “authentication in the New”
In addition to this new, and more stringent, regulatory environment, the following three key trends are prompting a new class of authentication platform:
- The explosion in mobile device usage
Many online service providers, online retailers and banks are offering customers options to authenticate multiple channels for added security, ease of use and a better customer experience, as well as to comply with regulatory frameworks.
- New digital authentication methods
Seamless authentication between channels and services, and interoperable universal authentication schemes are making it easier for customers to use one set of credentials to authenticate for services provided by different organizations.
- Cross-channel harmonization and integration
Authentication at ATMs (automatic teller machines) is now possible via mobile device biometrics. Banks have also begun to exploit voice biometrics for added security and an enhanced customer experience. Some banks are also pioneering new authentication methods.
What these developments mean to financial services firms
As the security authentication environment becomes more complex and multi-layered, managing such an environment is becoming equally complex and multi-layered. An authentication hub provides the ideal framework for facilitating and streamlining the authentication management process.
In my next post, I’ll share what a multi-factor authentication hub looks like as well as some key considerations in implementing this type of model in your firm’s security environment.
For a comprehensive view of all aspects of the authentication hub and “authentication in the New,” please see Accenture’s Biometric Authentication in the New Digital World
- “Payment services (PSD 1) – Directive 2007/64/EC,” European Commission. Access at: https://ec.europa.eu/info/law/payment-services-psd-1-directive-2007-64-ec_en
- “Draft Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2),” European Banking Authority, Final Report, February 23, 2017. Access at: https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+(EBA-RTS-2017-02).pdf
- “Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC /* COM/2013/0547 final – 2013/0264 (COD) */,” European Union, EUR-Lex. Access at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52013PC0547