May 1, 2020

The Financial Conduct Authority (FCA) in the UK has extended the deadline for implementation of Strong Customer Authentication (SCA) rules by six months. The deadline is now 14 September 2021.



Other regulators across Europe are expected to make similar moves.



From 14 September 2021, financial institutions must ensure that customers are completing SCA before they carry out online processes, as set out in the EU Revised Directive on Payment Services (PSD2).



These processes include:



  • Accessing a bank account online


  • Making an electronic transaction


  • Carrying out any activity online that might come with a fraud risk




What is Strong Customer Authentication?



Strong Customer Authentication is the process required by banks and electronic payment providers to verify the identity of their customers online. These rules were introduced in 2019 and aim to enhance security and prevent fraud. SCA does not just apply to banks: the entire e-commerce industry must comply by the 14th September 2021, too.



But how does it actually work?



Strong Customer Authentication means that payment service providers must require customers to use a multi-factor authentication process for payments and verifying their identity online.



Multi-factor authentication requires two or more of the following elements:



  • Knowledge: something only the user knows – eg, a password or PIN


  • Possession: something only the user possesses – eg, a mobile handset or token


  • Inherence: something the user is – eg, a biometric




The two factors also need to be independent of each other. For example, if a customer authenticates via voice on their mobile phone as the first factor, and then the bank sends a one-time password (OTP) to that same device for the second factor, this could potentially present a risk. The two factors use the same channel or band, so if that channel—in this case the mobile phone—had been compromised, both the instruction and the security verification are being sent to an individual who now controls the compromised device. This must be avoided according to the recommendations.

Strong Customer Authentication: Usability vs Security



Did you know, half of consumers have abandoned online transactions?



The challenge for banks is selecting the right balance of security with ease of use. Security is critical, but if systems are hard to access then banks face higher drop-off rates, increased loss of customers to competitors, and the brand impact of being seen as difficult to use.



Drop-off rates and loss of customers are very real concerns. A recent iProov study found that almost half of consumers in the US and UK have abandoned an online purchase because the security process took too long—and those aged 18-44 are more likely to have done so.



With iProov, Strong Customer Authentication is automated, fast, simple, and secure. We work with organizations such as online-only challenger bank Knab to provide SCA to its 500,000+ customers. All customers that open an account with Knab are authenticated by iProov’s cloud-based, device-independent face biometric technology.



Knab bank uses iProov authentication (Something a person is) along with a PIN (something the person knows) as part of their process to comply with SCA requirements and other regulations such as Know Your Customer (KYC). You can read more about iProov’s work with Knab here.



The iProov facial biometric authentication can replace passwords, or it can be used as the second factor as detailed in the two examples below.

How to enable Strong Customer Authentication (SCA) on mobile devices





  • A customer would begin the sign-in process to their bank account.


  • They provide a password for the first-factor authentication (something they know).


  • They then effortlessly iProov themselves for a strong second factor (something they are). The customer simply holds their device in front of their face and a colored illumination provides Dynamic Liveness – that is, confirming they are the right person, a real person, and authenticating right now. The illumination ceremony also acts as a reassurance to the customer that their security is being protected.




How to simplify Strong Customer Authentication (SCA) on web browsers



iProov Web offers the significant advantage of allowing strong customer authentication to be completed on a desktop or laptop without the need for a mobile device.



  • A customer would begin the sign-in process to their bank account on a desktop, laptop, or other device using a web browser


  • They provide a password for the first-factor authentication (something they know)


  • They then effortlessly iProov themselves for the second factor (something they are) using the camera on their laptop. A colored illumination provides Dynamic Liveness—that is, they are the right person, a real person, and authenticating right now.




For more information on how banks are using iProov for Strong Customer Authentication, please visit iProov.com or contact us at enquiries@iproov.com