The Invisible Threat to Open Banking: Why SCA Regulations Need an Overhaul

Originally in Computer Business Review For Open Banking’s first birthday (January 13, 2019), many people stopped to reflect on the regulatory state of play. How far have we come? Are we succeeding in our mission to democratise banking and remove friction for the end user? Open Banking was introduced to change and improve how consumers bank. But what’s become evident is that – while Application Programming Interfaces (APIs) have become integrated to enhance user experience – some glaring issues related to the Second Payment Services Directive (PSD2) have also appeared, threatening not only to inconvenience consumers and put banks at risk, but to tear down the entire Open Banking ecosystem we’re working so hard to develop.

A Regulatory Quagmire for FinTech

While the promise of Open Banking remains enormous, and innovation continues to expand into its second year, Strong Consumer Authentication (SCA) standards hang ominously in the distance, threatening to unravel all the good work that Open Banking has put in place to date. We believe the threats to the system can be broken down into three groups: unilateral implementation by banks; consumer fatigue of authentication; and the risk to consumer data.

Unilateral implementation by banks

The first challenge facing SCA is the unilateral application by banks across accounts, regardless of whether they’re PSD2 regulated or the type of activity requiring access to the account. Right now, only payment accounts need to apply SCA standards, and the European Banking Authority (EBA) saysthat such “security measures should be compatible with the level of risk involved in the payment service”. While it may seem transparent and secure to apply SCA across accounts, if these standards are applied to all read-only access to savings, individual savings accounts (ISAs), and loans, customers may soon experience significant friction across their banking journeys. I know banks often get bad press and are looking for ways to interact more transparently and instantaneously with their customers, but in this case, the simplest solution really is the best. If banks overcomplicate things, I believe they’ll inadvertently increase their risk of fraud as customers may choose whatever gets them online fastest.

Consumer fatigue of authentication

As they stand, SCA regulations mean that consumers must be present for each point of data access, regardless of whether they’ve previously given authorisation or not. In this way, SCA is disconnecting consumers from the tools Open Banking had made necessary, without giving any added uplift in protection. PSD2 also mandates that, every 90 days, consumers must reauthenticate each Account Information Service Provider (AISP) they’ve allowed access to their financial data. This is yet another clunky link in the chain of Open Banking.

Open Banking was meant to provide an efficient, user-friendly service but this will be far from reality if the SCA is implemented as currently scoped. We should consider Open Banking in the context of General Data Protection Regulation (GDPR). While consumer consent fatigue remains strong, it’s important to remember that ultimately GDPR can help consumer awareness in tandem with Open Banking, which is allowing consumers to safely share their data with third party providers (TPPs). If these regulations act as they should and ensure that only the approved data is being shared with the approved providers, why then should consumers consistently need to reauthenticate connections with trusted providers?

Risk to consumer data

The threats posed by SCA’s implementation go beyond User Experience (UX) disruption. Most worryingly, such implementation has the potential to disrupt, and even dismantle Open Banking as we know it. By making the consumer journey so tiresome, SCA could lead consumers to take counterproductive actions that put their data at risk, such as creating one password across accounts. This makes financial data inherently less secure, because if one account is accessed, it makes it easier for hackers and fraudsters to get into other accounts as well. Because SCA regulations are likely to be applied unilaterally across accounts, it’s entirely possible that the 69% of the UK population accessing banking services online could be affected by this issue, and therefore susceptible to fraud. Most recently, a data breach from password flaws left 2.7 billion customer records at risk. Companies can start to fix this particular problem by making consumers aware of the issue and instituting various levels of authentication for various functions within their banking experience. For example, viewing your balance should not require the same level of security as making a transaction. This nuance is an important one; as banks begin to roll out SCA, step-up authentication needs to be considered seriously as a viable alternative.

Reassessing a ‘One Size Fits All’ Approach

Medical professionals abide by the Hippocratic Oath to ‘do no harm’ and we as financial professionals and technologists must just as rigidly adhere to PSD2’s original objective to protect the end consumer. Open Banking promised to ensure that consumers would be able to safely and securely share their data, to make their financial lives more integrated and manageable. We must continue to fight for this reality, despite the challenges that arise along the way. Some are already doing this, but despite the efforts of individual companies to raise these issues, no progress has been made. That’s why we’re taking it upon ourselves to unite affected companies to affect change in two ways: by working with the Financial Conduct Authority (FCA) to stop to the unilateral integration of SCA regulations, and to raise consumer awareness so that end users can take necessary steps to protect themselves and their financial identities. The FCA has the power to halt the wholesale implementation of SCA, and by doing so give companies more time to get customer accounts organised. At the end of the day, the main concern around SCA is consumer protection, and ensuring they have the tools they need to make the best financial decisions possible. This issue is a highly important and urgent one, as the SCA is set to go live in September 2019. If left unaddressed, it is my belief that consumers will be faced with less innovative financial tools, less competition within the banking ecosystem, and ultimately, poorer financial health.