Open Banking without Strong Customer Authentication creates bad customer experience and leaves banks vulnerable. So why adopt one without the other?

An opinion piece by Ali Chamseddine, Head of Payments Strategy at Callsign

Regulators around the world are implementing various incarnations of Open Banking with the goal of changing how payments are made in their regions. They are looking for faster, cheaper, and simpler payments internationally, and they are trying to stimulate innovation to achieve this through Open Banking.

Where previously banks only allowed their customers to see their accounts through their own banking website or mobile app, Open Banking now forces banks to make this data available to any aggregator that connects to it, giving consumers control over their data and their finances.  This has created a wealth of new banks, services, and ecosystems to emerge around payments, in turn giving consumers greater choice of financial service providers.

In Europe, Open Banking launched a payment directive alongside authentication regulations, specifically: Strong Customer Authentication (SCA). We are now seeing the start of Open Banking initiatives in several GCC countries. Bahrain leads the charge with every bank opening up their application programming Interfaces (APIs), making customer data completely available. The Saudi Arabian Monetary Authority (SAMA) has Introduced an Open Banking policy to advance innovation in the sector, planned to go live in 2022; and in the UAE, the Emirates NBD has partnered to develop a cloud-based, gamified Open Banking sandbox to enable developers and FinTech’s to innovate, build and publish API applications.

However – except for Bahrain– regulators have not yet stepped in to shape this movement, why does this matter?

It matters for two reasons, without a consistent approach to SCA, both the security and usability of the entire ecosystem is compromised.

Although Open Banking is undeniably a positive move for both consumers and financial institutions, it potentially opens 1000’s of unsecure digital channels. Open Banking journeys are orchestrated through redirect flows where users are returned to their bank login page or banking app for authentication to authorize access to account information or initiate a payment.

This impact both web and mobile channels that banks own and don’t control; such as aggregator applications and outbound channels where money is spent with merchants, where a card isn’t present.

As financial services across the UK and mainland Europe found from experience, the redirected customer journey and traditional authentication methods such as usernames and password negatively impacted the user experience and are open to compromise.

However, the regulators stepped in to drive Open Banking momentum by introducing SCA to protect consumers, enhance security and customer experience. The European Banking Authority stipulated that when a customer accesses their payment account online or makes an electronic payment, under the SCA requirements, customers must authenticate using two factors of authentication.

Issuers need to select two elements in two of the three different SCA categories: Knowledge: something only the user knows. Possession: something only the user possesses. Inherence: something the user is.

The widespread use of mobile phones led to their adoption as a common authentication mechanism for transaction authorization and identity verification, typically in the form of SMS OTP alongside username and password.

Under SCA, the use of SMS OTP is categorized as a “possession” factor, based on the possession of a SIM-card associated with the respective mobile number.

However, regulators in the UK have since recognized that there are issues with OTPs such as security vulnerabilities due to SIM swap and sophisticated SMS interception attacks. OTPs deliver poor customer experience too, if there is a poor signal this can lead to cart abandonment during a payment journey.

There are also considerable cost implications for issuers who must pay each time an SMS is sent. This can be multiple times per transaction in the case of the SMS not being received, with the customer trying repeatedly to complete their journey.

Customers want seamless payment experiences that allow them to get on with their online interactions without unnecessary friction. It is recognized by regulators that knowledge factors require customers to use and manage a password, or PIN but they have the potential to increase friction during checkout as well as fraud risks.

The use of behavioural biometrics in conjunction with a secure device is driving standardisation for consumers and provides better security and customer experience.  Passive behavioral biometric authentication methods include how a user swipes their phone, or the pressure they use to type; and because these traits are inherent, they positively identify genuine users, firmly establishing that they are who they say they are and letting them get on with their online journey.

Methods such as passive behavioral authentication  also give banks and merchants the opportunity to reduce friction for their customers as well as reducing fraud. This in turn leads to return purchases, smoother transactions, and the personalized experience every online user Is looking for.

This development highlights further, the pressure on banks and businesses not only to ensure authentication is scalable and secure but to move beyond username, password, and SMS OTP to avoid user frustration/cart abandonment and reputational damage. ​

What is important here, is the implementation of an industry standard to ensure financial services are held to account for the same robust authentication standards across the ecosystem and that they are applied consistently. This ensures regardless of the bank a customer has opened an account with or which aggregator app they use to access it, the customer experience isn’t compromised, security is ensured without impacting innovation, revenues and customer churn.

Left to solve this alone, banks, merchants and other stakeholders in the ecosystem are likely to produce their own approaches to these problems, impacting customer experience and holding back all the benefits of Open Banking.

Open Banking is the door to the future of finance; but it’s a door that needs a very secure lock, and that’s exactly what SCA provides.

Why adopt Open Banking without SCA?

The answer is that you shouldn’t. Open Banking is just the beginning; moving forward without security and CX in your channels means that you are opening yourself up to losing revenue and customers.