The challenges that financial institutions face trying to manage customer experience and security are considerable. Pull the lever too far one way and you begin to sacrifice aspects of the other. But when new regulation such as PSD2 comes in, the belief is that security needs to be prioritised over customer experience. However, this doesn’t need to be the case.
The impact of any regulation often means that you need to make changes. Whether it’s systems that are now too old to meet the new requirements placed on them, or processes that need to be updated. It tends to mean a lot of time and effort for organisations to comply.
The two most recent regulations that came into play, GDPR & Revised Payment Services Directive (PSD2) are perfect examples. With huge changes to the management of data and security and large fines for non-compliance, organisations are needing to make some considerable changes. But often the weight of compliance can be quite considerable, both in cost and time for the organisation.
Without a doubt, building for the future is better in the long-term, but with budgets set annually to comply with company priorities, this isn’t always the case. In these instances, complying with regulations becomes a juggling act between customer experience and security. So, with so much on the line, what approach works best?
Short term gains vs. long term wins
When new regulations are introduced, the whole industry is placed under considerable pressure to comply, which drives some organisations to push-back on the regulator. This discourse often leads to exceptions for organisations that can show they are managing the risks within certain constraints; allowing them to avoid the initial risks around non-compliance, without having to make large investments and risk impacting their customers. However, this means that for every change to these regulations going forward, the organisation will have to react accordingly, forever keeping on step behind regulatory changes.
Given this, a reactive approach isn’t necessarily the cheapest. It’s been proven time and again that taking a reactive approach to regulation means that resource and technologies have to continually be stretched to meet requirements. Not to mention if there’s ever a non-compliance issue, there’s a risk of fines and loss of customer confidence, and having to implement the maximum standards anyway.
By taking a short-term view, organisations can often end up taking a costlier route over time than if an initial investment has been made at the beginning. Often the impact this has on customer experience can be considerable, as they encounter more friction due to a standardized catch-all approach taken to security. Whilst the compliance team might be happy, the CISO and the operations teams are paying the price with continued fraud risks and lowering customer satisfaction.
PSD2: Security vs customer experience
If we look at strong customer authentication (SCA), part of the updated PSD2 directive, it requires two methods of authentication based on possession, knowledge and inherence. For organisations looking to meet the bare-minimum, running strong customer authentication on legacy systems means that customers are likely to receive the same authentication requests whether they are transferring £5 or £500. This level of friction is like asking for proof of identity every time you’re buying your morning coffee - it’s unnecessary.
Not only does it increase friction, but we risk isolating pockets of society, namely those that don’t have access to biometric technologies on their mobile devices, or those that are unable to provide a fingerprint. By taking a minimal approach, the short-term win is often engulfed by the long-term firefighting as a result. Particularly if you’re trying to prove compliance.
This is one of the greatest challenges with any regulation. Often a policy can be implemented but it is difficult to provide evidence as to what section of a regulation it relates to and why it was implemented. It’s certainly a paradox, how do you comply with regulations without increasing the risk of fraud or, damaging customer experience – and prove it?
Friction doesn't have to be a negative word
In order to solve the paradox, we need to be looking at how we can add friction at the right time. The ability to take individual customer transactions on a case-by-case basis helps separate the fraudulent activity from the legitimate.
By intelligently adding friction to the types of transactions that look fraudulent, or don’t quite look normal - such as a PIN or biometric data, we can be surer that the correct user made the transaction. Only by increasing authentication where necessary, means users can transact without being blocked by ‘catch-all’ authentication steps, which reduces false-positives and disputed claims. But, because we’ve got the checks in place, security is increased, and compliance is met, even strong customer authentication, as passive checks help verify a user’s identity.
All of this can be done using the right policy tool. By investing in a policy manager that can develop dynamic policies, adapting individual journeys based on the information available organisations can spend time testing and improving policies, rather than simply adding new ones to fix the problems of the old.
By investing in the right tools, the identity paradox is solved, placing you and your customers in a much better position. It’s clear there’s a third option when it comes to compliance around regulations, one that helps grow a business rather than just defend it.