Strong Customer Authentication (SCA) and the rules relating to account access defined by the Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication (SCA-RTS) have been in force in the UK for some time.
There is a widely accepted view across the industry that the implementation of the SCA-RTS in the UK has been a resounding success, with minimal disruption to consumers; and multiple measures indicating positive outcomes have been achieved since implementation. The positive impact of the SCA- RTS can be easily seen from latest market data, which shows that card losses are on the decline after having reached a peak.
In this blog, I would like to share a few observations from working with several firms on this area of compliance.
Regulatory driven annual “audit” obligations
As the industry has now firmly transitioned into a business as usual (BAU) world, PSPs need to be cognisant and prepared for their obligations under Article 3 of the SCA-RTS, namely, to undertake an “audit” of their SCA-RTS compliance arrangements on a periodic basis with additional requirements on PSPs making use of the Article 18 Transaction Risk Analysis (TRA) exemption.
Where the latter applies, PSPs must review the methodology, the model and the reported fraud rates annually by an “operationally independent” auditor with expertise in IT security and payments regulation and every three years by an independent external auditor.
SMART: the key features of successful SCA-RTS compliance programmes
For those who need an acronym to facilitate memorisation (like me), I will use the word SMART to summarise the key features from our experience of successful SCA-RTS compliance.
Systematic decision-making rationale
Many PSPs delivered the SCA-RTS requirements for their organisation through specific programmes dedicated to the achievement of compliance and change management. Some programmes had many workstreams which operated in a very siloed manner, staffed by technical specialists. These programmes and their accompanying teams were naturally stood down post implementation. By consequence, we frequently observe instances of limited transfer of knowledge and technical understanding between project and BAU teams. Taking a systematic approach in this regard is fundamental to ensure ongoing knowledge and technical expertise is maintained.
We have observed that during our reviews, firms who have not enabled knowledge transfer/retention are unable to answer key questions on approach and rationale for decisions made during SCA implementation. For instance, we often observe firms struggling to objectively articulate why some of their digital service channel functionalities are not subject to SCA checks even when those could be perceived as “actions carried out through a remote channel which may imply a risk of payment fraud or other abuses”.
Maximising value from experienced advisors
Whilst the SCA-RTS states that PSPs can undertake the mandated “audits” internally by an operationally independent auditor with expertise in IT security and payments, our experience has shown that there is a knowledge gap in many organisations. This being the case, we have observed some PSPs involving their internal audit functions in a shadowing capacity, whilst we (KPMG) have been undertaking our reviews to, in effect, upskill their colleagues.