UK Consumers Not Happy with PSD2 Fraud Rules

Written by

UK consumers could undermine attempts by EU regulators to improve fraud screening, according to a new survey from FICO.

The predictive analytics firm polled 500 consumers in the UK, Germany, Spain and Sweden to better understand their attitudes to the new PSD2 banking regulations.

A key part of these rules is a new requirement on banks, card issuers and payment service providers (PSPs) to enforce so-called Strong Customer Authentication (SCA). This means that when a user comes to pay for something online, they will be challenged with an extra two-factor authentication step.

However, just half (53%) of UK consumers polled said they would give their bank their mobile number. This is necessary to support the one-time passcode systems that many lenders may choose to comply with SCA.

Among the reasons they gave were that it’s “not secure or intelligent,” would be too complicated, others could access it and that there’s poor mobile coverage where they are.

Nearly 70% said they think there’s already enough or too many security checks on card payments.

Consumers are certainly right to be wary of this kind of 2FA. Hackers have grown increasingly adept at circumventing security by intercepting one-time codes sent by SMS. This happened to Reddit administrators last August, allowing attackers to compromise staff accounts en route to sensitive customer data.

The FICO poll’s findings seem to suggest that pushing customers into choosing a particular authentication method could be a mistake.

“While it is true that the majority would comply in providing their mobile phone, those that choose a different course of action could have a considerable negative impact on the business,” the firm argued. “A successful SCA strategy should allow customers choice whenever possible and shouldn’t deprive them of service if they are unable or unwilling to adopt a particular method.”

However, not all transactions have to be covered by SCA. Exemptions apply for those under €30, recurring transactions,and those deemed “low risk,” among other types.

Another option would therefore be to invest in sophisticated fraud prevention tools which can monitor and report on transaction risk levels, screening each one to minimize the number of times customers must go through SCA.  

This is the Holy Grail for banks, PSPs and merchants: delivering low friction and fraud and maximizing sales in the process.

The new SCA rules take effect in September this year.

What’s hot on Infosecurity Magazine?