Banking Technology
Open Banking without Strong Customer Authentication creates bad customer experience and leaves banks vulnerable. So why adopt one without the other? An opinion piece by Ali Chamseddine, Head of Payments Strategy at Callsign
R
egulators around the world are implementing various incarnations of Open Banking with the goal of changing how payments are made in their regions. They are looking for faster, cheaper, and simpler payments internationally, and they are trying to stimulate innovation to achieve this through Open Banking. Where previously banks only allowed their customers to see their accounts through their own banking website or mobile app, Open Banking now forces banks to make this data available to any aggregator that connects to it, giving consumers control over their data and their finances. This has created a wealth of new banks, services, and ecosystems to emerge around payments, in turn giving consumers greater choice of financial service providers. In Europe, Open Banking launched a payment directive alongside authentication regulations, specifically: Strong Customer Authentication (SCA). We are now seeing the start of Open Banking initiatives in several GCC countries. Bahrain leads the charge with every bank opening up their application programming Interfaces (APIs), making customer data completely available. The Saudi Arabian Monetary Authority (SAMA) has Introduced an Open Banking policy to advance innovation in the sector, planned to go live in 2022; and in the UAE, the Emirates NBD has partnered to develop a cloud-based, gamified Open Banking sandbox to enable developers and FinTech’s to innovate, build and publish API applications.
46
MEABUSINESS
However – except for Bahrain– regulators have not yet stepped in to shape this movement, why does this matter? It matters for two reasons, without a consistent approach to SCA, both the security and usability of the entire ecosystem is compromised. Although Open Banking is undeniably a positive move for both consumers and financial institutions, it potentially opens 1000’s of unsecure digital channels. Open Banking journeys are orchestrated through redirect flows where users are returned to their bank login page or banking app for authentication to authorize access to account information or initiate a payment. This impact both web and mobile channels that banks own and don’t control; such as aggregator applications and outbound channels where money is spent with merchants, where a card isn’t present. As financial services across the UK and mainland Europe found from experience, the redirected customer journey and traditional authentication methods such as usernames and password negatively impacted the user experience and are open to compromise. However, the regulators stepped in to drive Open Banking momentum by introducing SCA to protect consumers, enhance security and customer experience. The European Banking Authority stipulated that when a customer accesses their payment account online or makes an electronic payment, under the SCA requirements, customers must authenticate using two
Business News for the MEA region
factors of authentication. Issuers need to select two elements in two of the three different SCA categories: Knowledge: something only the user knows. Possession: something only the user possesses. Inherence: something the user is. The widespread use of mobile phones led to their adoption as a common authentication mechanism for transaction authorization and identity verification, typically in the form of SMS OTP alongside username and password. Under SCA, the use of SMS OTP is categorized as a “possession” factor, based on the possession of a SIM-card associated with the respective mobile number. However, regulators in the UK have since recognized that there are issues with OTPs such as security vulnerabilities due to SIM swap and sophisticated SMS interception attacks. OTPs deliver poor customer experience too, if there is a poor signal this can lead to cart abandonment during a payment journey. There are also considerable cost implications for issuers who must pay each time an SMS is sent. This can be multiple times per transaction in the case of the SMS not being received, with the customer trying repeatedly to complete their journey. Customers want seamless payment experiences that allow them to get on with their online interactions without unnecessary friction. It is recognized by regulators that knowledge factors require customers to
