EBA guidelines, it’s all a balancing act

The European Banking Authority’s (EBA) latest guidelines for better protection of online and mobile transactions are fast approaching.

The guidelines, although not enforceable by law, are a good start that will get the whole industry thinking about how secure their current payment channels are – especially when online banking fraud losses have now increased to the tune of 48 per cent between 2013 and 2014, according to Financial Fraud Action. Banks will no longer be able to provide customers with solutions just because they are quick and easy; they are going to have to start putting security at the forefront of customer engagement strategies.

However, we should not think that the EBA’s guidelines will turn everything into sunshine and dandelions for customers, nor that banks will rip and replace new authentication solutions – there are going to be issues to overcome.  

Firstly, the new (minimum) two-factor authentication being suggested will require a lot of providers to look at their current models and use it as preparation for eventual legislation. Currently, a lot of banks are continuing to use one-time passwords (OTPs) via soft (e.g. SMS) or hard tokens (e.g. small physical devices that generate single use tokens) to complete transactions. The reason that SMS is so popular is because it enables PSPs and banks to provide customers with the quick and simple solution that they crave – often free, since most mobile tariffs include SMS as part of the monthly charge. However this drive of one-upmanship between banks and PSPs to offer the quickest and simplest solutions has left customers exposed, particularly because SMS can be so easily compromised.

Proof in the pudding is a report from FICO in 2013, which revealed that Card not Present was the biggest cause of fraud, with over £300m being taken. The banks’ focus on delivering a seamless, and easy-to-use customer experience at the expense of adequate authentication was cited as the main cause.

The thing here is that PSPs and banks may end up asking themselves whether they should focus their attentions on offering customers the quick and simple solution, or the secure one? But that’s looking at it completely the wrong way. The key here is striking a balance between the two – something many industry professionals have vehemently argued over for quite some time, but no solution has become the ‘catch-all’ answer, yet.

There are simple solutions that can provide customers with both security and usability. For instance, SIM Swap checks, divert detection and location detection are all simple checks that can be performed automatically via the contact centre without a need for the user to perform an action. Using mobile data provided by network operators, banks are then able to offer strong authentication and peace of mind to customers on the status of the mobile device being used to perform transactions. Using the data derived from smart device use, such as geographical data, anything suspicious is subject to further unnoticeable checks that finally determine whether a transaction is deemed as suspected fraudulent activity, or not.

The EBA’s guidelines are a ‘test run’ for leading providers to demonstrate their commitment to the ongoing threat of advanced fraudulent techniques. PSPs and banks need to work to try and retain the ease-of-access approach that has become such a key component of modern banking, but also take responsibility for the 

no longer be able to provide customers with solutions just because they are quick and easy; they are going to have to start putting security at the forefront of customer engagement strategies.

However, we should not think that the EBA’s guidelines will turn everything into sunshine and dandelions for customers, nor that banks will rip and replace new authentication solutions – there are going to be issues to overcome.  

Firstly, the new (minimum) two-factor authentication being suggested will require a lot of providers to look at their current models and use it as preparation for eventual legislation. Currently, a lot of banks are continuing to use one-time passwords (OTPs) via soft (e.g. SMS) or hard tokens (e.g. small physical devices that generate single use tokens) to complete transactions. The reason that SMS is so popular is because it enables PSPs and banks to provide customers with the quick and simple solution that they crave – often free, since most mobile tariffs include SMS as part of the monthly charge. However this drive of one-upmanship between banks and PSPs to offer the quickest and simplest solutions has left customers exposed, particularly because SMS can be so easily compromised.

Proof in the pudding is a report from FICO in 2013, which revealed that Card not Present was the biggest cause of fraud, with over £300m being taken. The banks’ focus on delivering a seamless, and easy-to-use customer experience at the expense of adequate authentication was cited as the main cause.

The thing here is that PSPs and banks may end up asking themselves whether they should focus their attentions on offering customers the quick and simple solution, or the secure one? But that’s looking at it completely the wrong way. The key here is striking a balance between the two – something many industry professionals have vehemently argued over for quite some time, but no solution has become the ‘catch-all’ answer, yet.

There are simple solutions that can provide customers with both security and usability. For instance, SIM Swap checks, divert detection and location detection are all simple checks that can be performed automatically via the contact centre without a need for the user to perform an action. Using mobile data provided by network operators, banks are then able to offer strong authentication and peace of mind to customers on the status of the mobile device being used to perform transactions. Using the data derived from smart device use, such as geographical data, anything suspicious is subject to further unnoticeable checks that finally determine whether a transaction is deemed as suspected fraudulent activity, or not.

The EBA’s guidelines are a ‘test run’ for leading providers to demonstrate their commitment to the ongoing threat of advanced fraudulent techniques. PSPs and banks need to work to try and retain the ease-of-access approach that has become such a key component of modern banking, but also take responsibility for the protection of their customers. If a provider can’t do that, customers can – and will – go elsewhere.