Common challenges of demonstrating Strong Customer Authentication compliance

Strong Customer Authentication (SCA) and the rules relating to account access defined by the Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication (SCA-RTS) have been in force in the UK for some time.

There is a widely accepted view across the industry that the implementation of the SCA-RTS in the UK has been a resounding success, with minimal disruption to consumers; and multiple measures indicating positive outcomes have been achieved since implementation. The positive impact of the SCA- RTS can be easily seen from latest market data, which shows that card losses are on the decline after having reached a peak.

In this blog, I would like to share a few observations from working with several firms on this area of compliance.

As the industry has now firmly transitioned into a business as usual (BAU) world, PSPs need to be cognisant and prepared for their obligations under Article 3 of the SCA-RTS, namely, to undertake an “audit” of their SCA-RTS compliance arrangements on a periodic basis with additional requirements on PSPs making use of the Article 18 Transaction Risk Analysis (TRA) exemption.

Where the latter applies, PSPs must review the methodology, the model and the reported fraud rates annually by an “operationally independent” auditor with expertise in IT security and payments regulation and every three years by an independent external auditor.

For those who need an acronym to facilitate memorisation (like me), I will use the word SMART to summarise the key features from our experience of successful SCA-RTS compliance.

Many PSPs delivered the SCA-RTS requirements for their organisation through specific programmes dedicated to the achievement of compliance and change management. Some programmes had many workstreams which operated in a very siloed manner, staffed by technical specialists. These programmes and their accompanying teams were naturally stood down post implementation. By consequence, we frequently observe instances of limited transfer of knowledge and technical understanding between project and BAU teams. Taking a systematic approach in this regard is fundamental to ensure ongoing knowledge and technical expertise is maintained.

We have observed that during our reviews, firms who have not enabled knowledge transfer/retention are unable to answer key questions on approach and rationale for decisions made during SCA implementation. For instance, we often observe firms struggling to objectively articulate why some of their digital service channel functionalities are not subject to SCA checks even when those could be perceived as “actions carried out through a remote channel which may imply a risk of payment fraud or other abuses”.

Whilst the SCA-RTS states that PSPs can undertake the mandated “audits” internally by an operationally independent auditor with expertise in IT security and payments, our experience has shown that there is a knowledge gap in many organisations. This being the case, we have observed some PSPs involving their internal audit functions in a shadowing capacity, whilst we (KPMG) have been undertaking our reviews to, in effect, upskill their colleagues.

As is natural for PSPs, there are many processes/solutions/platforms which are delivered by third parties on their behalf. Examples can include, relying on a technical service provider to perform behavioural biometric authentication or even third-party technologies for fingerprint or Face ID.

What is important for PSPs to remember is that, as the regulated entity, it is their obligation to ensure that they are compliant with SCA-RTS requirements. We frequently observe that many firms are unable to articulate and evidence how third-party solutions work in practice and support compliance with the underpinning rules. Many firms do not hold documentation on solutions provided by third parties on their behalf, leading to adverse findings when they are unable to obtain technical documentation confirming compliance.

I will explain in more detail the role of a comprehensive evidential framework, but for the moment I would like to emphasise the importance of maintaining detailed video records or similar evidence, such as screen shots, of in-scope digital service journeys to demonstrate compliance. 

Take the example of card-not-present journeys. Unless card issuers are prepared to provide live demonstrations/screenshots of all possible journeys, having regard to all digital service channels, possible combinations in terms of authentication elements and in-scope exemptions, a compliance review will only be able to confirm compliance by design. In other words, video recordings/screen shots are of higher evidential value as these enable an end-to-end view of test scenarios.

In undertaking reviews at various PSPs, another common theme is the lack of comprehensiveness of written narrative that PSPs can provide to demonstrate compliance with all the articles of the SCA- RTS.

We have often observed instances where firms have not articulated the applicability of each Article of the SCA-RTS at a sub-paragraph level, across each product and digital service channel in scope. On top of that, many firms were only able to provide narrative suggesting compliance by design, with insufficient supporting evidence.

A simple example of this is PSPs being unable to evidence how they comply with Article 16 Low-value transactions (LVT) exemption. Demonstrating how the LVT thresholds are coded into the authorisations systems, provides a view of being compliant by design but does not show whether that control is operating effectively. Some of the better examples by which PSPs were able to evidence their compliance consisted of providing transactions processed within a set period to demonstrate the LVT threshold not being breached and the cumulative count working as intended.

Whilst the above insights are not exhaustive, applying these good practices will assist your firm in experiencing a more efficient and effective annual review, potentially reducing costs and resource commitments, whilst enabling effective knowledge transfer.

Our experience within this space is very comprehensive and we work collaboratively with our clients to share our industry insights and good practices.

If you would like to discuss how you might implement some of these insights in your firm, discuss other matters related to SCA-RTS compliance and/or how we can support your annual obligations, please don’t hesitate to contact us.

We held an SCA-RTS webinar in February 2024, where we delved deeper into the topic. Key takeaways and on-demand recording are available here.