On the 1 October 2020, UK Finance updated their industry guidance on Strong Customer Authentication under PSD2. Among these updates it was interesting to see that they had included a specific focus around the application of behavioral biometrics and the layering of behavioral biometrics with other circumstantial evidence.
This is something that we’ve been talking about for quite some time. For us, this use of behavioral data ‘ensembled’ with additional insights is an essential part of any digital identification process. We are the only firm in the world that can do this with a single SDK, making a 1FA (1 factor authentication) username/password login into a 3FA login with layered location, device and behavioral biometric authentication data, collected passively in the background. With many vendors offering single solutions that identify fraud, turning to solutions that positively identify the user can provide greater protection against fraud.
With this in mind, we see the latest guidance as a real positive step forward. So, what are the four key takeaways from this latest UK Finance update?
1. Behavioral biometrics must positively identify the user
The first major clarification the guidance offers is the reiteration that (in line with previous European Banking Authority (EBA)) opinions, behavioral biometrics that identify a specific user, constitutes as an inherence factor under SCA. The key here is that behavioral biometric solutions must be able to positively identify the user for inherence to be achieved.
This notation of positive identification forms the core basis of our approach to meeting SCA. Our behavioral biometrics passively analyze traits that another individual wouldn’t be able to replicate, such as keystroke, finger pressure and muscle memory. This was ratified in the EBA Opinion issued in June 2019 that confirmed the use of swipe authentication (a behavioral authentication method unique to Callsign) as an inherence factor.
In addition to this, the EBA had previously set conditions that must be met for any inherence-based approach. Stating (with a strong emphasis on the quality of implementation), that there must be a "very low probability of an unauthorized party being authenticated as the payer”. This is where our ensembling capabilities provide additional assurances to issuers.
2. Ensembling strengthens behavioral biometric capabilities
The UK Finance guidance recommends that banks ‘layer’ other circumstantial evidence (such as location data) on top of their behavioral biometric analysis, to provide stronger evidence that the user is who they claim to be. Whilst this is something that can be achieved with several point-based solutions, issuers must be conscious of (and mitigate against) conflicting scores, which can lead to increased false positives and negatives – potentially damaging the user experience.
Our approach to SCA combines behavioral biometric analysis with information about a user’s device and location to create a single score, in a process we call ensembling. By looking at each of these data points individually and as a whole, we can provide greater assurance of the customer’s identity even if they have changed device or transacting in a new location (such as on holiday). This level of insight allows issuers to further strengthen their authentication capabilities. More information can be found on this webinar.
3. Customer experience is key
For all payment scenarios, UK Finance’s view is that payment providers should “deliver the best customer journey and deliver the spirit behind PSD2.”
While meeting the regulation is clearly essential, it’s encouraging to see industry bodies and UK regulators continuing to take a pragmatic approach and emphasizing the importance of customer experience. Customers want seamless payment experiences that allow them to get on with their online interactions without unnecessary friction. Meeting SCA requirements shouldn’t be about sacrificing one, to meet with the other. Issuers should understand that by adding undue friction, customers can be put off. In this scenario it’s not just merchants being affected; poor authentication experiences can affect top of wallet status. In a digital world with card details often saved to the browser, this can lead to lasting damage.
UK Finance make it clear in this guidance, as well as their previous communications that while they are providing recommendations on possible approaches, this does not preclude firms from delivering enhanced solutions.
Issuers should be looking beyond simply complying with SCA guidance. Methods such as passive behavioral authentication gives them the opportunity to also reduce friction for their customers as well as reducing fraud, and this is what leads to return purchases and smoother transactions.
4. Look ahead – technology solutions are evolving quickly
The guidance recognizes that the industry is constantly evolving and that new data analytics and technologies “will bring improvements to security and the user experience”.
When implementing new solutions, it is important banks are considering what technology could do in the next 3 / 5 years and beyond and putting in place the foundations that will allow for future technological developments. The real challenge here is avoiding the ‘quick-fix’ approach and for issuers to consider the applicability of solutions alongside capability. Solutions that offer code-free policy updates, seamless orchestration capabilities and real-time testing and reporting can give issuers the tools and insight they need to provide customers with the seamless payment experiences that the guidance refers to.
Given the extension the UK industry has been granted for SCA compliance, organizations shouldn’t be looking for a short-term tactical fix but should be putting in place the right long-term solution for them and their customers. Based on UK Finance’s recommendations, we are the only vendor that can truly offer this, delivering positive behavioral biometrics and ensembling through one single solution.