The EU regulation causing your finance apps to drive you mad (part 2)
In her latest column for Forbes, 11:FS Head of Research Sarah Kocianski examines the new set of authentication procedures and how they are being implemented by UK banks.
In my previous post I outlined what new European rules known as Strong Customer Authentication (SCA) are, and how different financial services firms in the UK are responding to its introduction. I covered the frequency with which you have to authenticate, or re-authenticate, yourself and outlined what might happen as SCA for online purchases rolls out.
Here, I’ll go into more detail regarding how SCA, and other changes to authentication procedures that are happening simultaneously, are being implemented by banks, their impact on purchase journeys and some suggestions for providers as to how to minimise the changes’ impacts.
What’s clear is that whatever issuers have decided, changing authentication procedures are starting to introduce friction to user journeys and cause confusion.
The levels of customer inconvenience and confusion are not, however, a given. They can be reduced by the ways in which issuers tackle two key elements; the methods by which issuers are enabling you to authenticate yourself for online purchases, and how they are communicating changes.
Methods of authentication
The European Banking Authority (EBA) has issued a long list of compliant methods of authentication for each factor (summarised below) giving issuers a plethora of options to choose from as they design their user journeys.
Online purchases
The original deadline for SCA implementation was September 2019, however that has now been extended by the EBA after it became apparent the industry was nowhere near ready. Off the back of that extension, the UK’s regulator, the Financial Conduct Authority (FCA), has given firms until March 2021 before it starts enforcement actions.
However, some issuers have already started bolstering authentication for online purchases and many have gone down the route of introducing a smartphone element into the 3D secure (3DS) process.
In most cases, you either receive a code via SMS or have to generate one within your mobile app. In both cases you then have to enter the code into the merchant’s website to finalise your purchase.
A note on the latter method: It’s a marked improvement on the previous iteration, which you may be unlucky enough to remember, required entering your bank card into a physical card reader to generate a code, which was then entered into the website.
Any banks that have limited their authentication options to mobile will need to provide additional options before enforcement starts
This was unpopular, largely due to the fact that while you can be expected to have your bank card and phone with you, expecting you to remember a small plastic, calculator-like device was considered by many unreasonable. It should be noted that some banks still use said devices…
Another version of app-based verification is to send a push notification informing you of the merchant and the amount your card is being charged for, and asking if you want to approve it either via biometrics or PIN.
Issuers typically offer a selection of these methods. Most have also included an alternative for those who don’t wish to hand over their mobile number, don’t have a smartphone or have a disability which prevents them reading a code.
One such alternative is to automate a call to your landline, which delivers a code via automated voice that you then enters into the website. What has not yet been widely addressed is how to enable customers who cannot enter a code into a website (e.g. due to restricted mobility) to authenticate themselves.
But a few providers made missteps in offering ONLY smartphone based authentication methods. Santander generated most headlines, largely because it was the most well known brand, but mobile-only neobanks Monzo and Starling also went down this route.
These banks, and any others that have limited their authentication options to mobile, will need to provide additional options before enforcement starts. If they don’t, they will end up preventing sections of their customers from making online purchases and undoubtedly garnering unflattering headlines in the process.
Contactless payments
Far easier to understand is the authentication process for contactless payments — you have to enter your PIN to authenticate the payment once certain criteria have been met (as outlined in my previous blog). What is not simple, is ensuring you know WHY you are being prompted to enter a PIN, especially in regions where contactless has become the primary way of paying in store.
Confused Communication
There are multiple methods for fintechs and banks to communicate with customers. The trick is ensuring they use the right combination of those methods to ensure the most customers understand the key information.
Blogs, tweets, videos and SMS were all deployed in various providers’ campaigns, but email was by far the most commonly used method of communication. However the tone and language of the email content varied dramatically. Some providers also had the challenge of explaining changes to the way in which customers could login to their banking apps (again, the result of regulatory change).
As a rule, digital-only banks, which have established a track record of clarity and transparency did well by telling customers a) what they would have to do and b) why, in as few words as possible.
On the incumbents’ side the success of SCA communications is likely to have been more limited
Additionally, the subject of the one bank’s email was “We’re making your account more secure” which encouraged customers to open the email, along with setting the tone that, despite the inconvenience, the changes really are in the customers’ best interests.
On the incumbents’ side the success of SCA communications is likely to have been more limited. We tend to be less engaged with these banks, and frustrated after years of receiving irrelevant marketing emails, while the language and tone typically leaves a lot to be desired.
In one example, a UK bank front-loaded the email with context about fraud levels — at which point a number of customers will likely have stopped reading on the principle that they already know all this. It then told customers that unless they used their app to generate a code, they would notice they would only be able to access a reduced service. Further, password and memorable data login options would be discontinued from the following week.
This message has a number of flaws:
- It assumes you know how to generate said code
- It fails to give context as to why only a reduced service would be available, or what that reduced service would look like
- It can cause panic by stating you can’t use existing methods of login in just 7 days — this assumes people read their emails, and action them, daily
- It doesn’t include information about the wider changes driven by regulation (for online payments this would involve using the code generation method as well)
Communication of changing rules at the point of sale
Despite providers’ best efforts to inform you in advance of the changes, there will invariably be those who have missed the memo and the first experience of new authentication rules will be at the point at which you want to make a purchase.
Online payments
After March 2021, for online payments where the merchant has implemented SCA, this is less likely to be an issue as most people will have experienced 3DS in some form. Problems are more likely to arise if merchants have failed to incorporate the issuers’ SCA compliant processes into their own payment flows. At that point you will start experiencing payment declines and many people will fail to understand why.
Contactless payments
In terms of contactless payments, when a transaction is declined, some providers are already issuing push notifications offering extra information. These typically state:
- The payment has been declined
- The customer should try inserting their card and entering their PIN
For those of us who are used to a digital-only bank that communicates with them every time we make a purchase this might not alleviate annoyance, but it will at least help us regain a feeling of control by helping us understand the situation. However, most people will either not receive notifications, or will not connect their phone vibrating with their making a transaction.
In another attempt to counter this lack of widespread customer information, some merchants which are aware of the roll out are training staff to explain what’s going on to confused customers. Others are adding messaging to checkout terminals asking customers to try inserting their card if a contactless transaction is declined. And some point of sale terminal manufacturers are adding similar messaging to their digital displays. However, these scenarios are far from widespread.
It’s up to providers, for now, to follow some simple steps to ensure any changes they implement minimise disruption
That means that for many of us all we will see is that the card has been declined. Generally speaking, we are unlikely to try the same card again in such a situation — for fear of embarrassment, holding up the queue or a plethora of other reasons. Instead, we tend to use a different card from a so-called “secondary account” that is used less frequently and therefore more likely to be accepted.
If the next time you make a purchase using the first card and you don’t use a PIN (which is unlikely unless the purchase is over the contactless limit of £30), and the card is declined without context again, you will probably get in touch with their bank and ask what is going on. Anecdotally, this is already happening and that means it’s clogging up providers’ customer service channels.
So how do we minimise the upset?
Those of us who work in the industry or read posts like this have a head start in understanding what is going on, but to the general public it can seem baffling. At this stage, given the mixture of processes in place, the speed of change, the poor communication from issuers and the poor understanding by merchants (that’s a subject for another day) it is highly unlikely to be their fault if they struggle to understand the situation. So it’s up to providers, for now, to follow some simple steps to ensure any changes they implement minimise disruption:
- Ensure a diversity of authentication methods that meet a multitude of needs, situations and don’t assume everyone has a smartphone!
- Communicate with customers, using their preferred channels and use language that is as simple as possible
- Include a wide range of communication methods, including in-app notifications
- Conduct merchant outreach so that sales staff know what is going on, and if possible offer in-store signage