The FCA (Financial Conduct Authority) has removed the 90-day re-authentication requirement for customers to access bank account data, as part of the Open Banking rules. The rule consisted of asking customers to re-authenticate their credentials every 3 months which has resulted in high drop-out rates. No doubt this is a great relief when thinking of reducing friction in their customers’ experience. Although the customers will still be asked if they wish for data-sharing to continue, it won’t be as time-consuming or obnoxious as having to re-authenticate so often.
Let’s break it down…
Open Banking is a term or practice that enables financial third-party service providers to build services around banks through open APIs. For example, a digital wallet would be a Third-Party Provider (TPP), by which a user connects their bank account and manages payments and transactions through the digital wallet.
When a customer connects to a TTP, such as a digital wallet, they need to give permission to the TPP to access, use and store data. In order to do this, the customer must provide explicit consent for the TPP to be authenticated with their chosen financial institution, such as their bank. The financial institution will then grant the TPP access to their account, and the TPP is able to securely share that information with the consumer’s chosen fintech provider.
Authorities wanted to make sure consumers were always aware that their data is being shared and therefore the 90-day rule was born. However, instead of simply asking the customer to confirm their consent, they would stop the service unless the customer would re-authenticate their credentials. This clearly resulted in unfriendly, friction-full user experiences, causing high drop-out rates. Hence the latest and very welcomed change to remove the re-authentication rule, keeping only the re-authorization prompt which quickly reminds the customer about the data-sharing.
Hurray for less friction, but what about fraud?
As great as removing this interruption is, we cannot turn away from the level of risk this implies as this leaves a door open for fraudsters to walk through. The customer is at the center of this and providing a frictionless experience should not compromise their security.
Fraudsters today use sophisticated multi-layered attacks to access people’s credentials and identities, through phishing, malware, emulators, and other social engineering techniques to name a few. Once they have these, they can move on to Account Takeover fraud, New Account fraud, or even Cross-bank fraud, resulting in trust and money loss.
So how do we provide the right balance of a friendly user experience and fraud prevention? As we’ve learned, adding more friction through extra layers of authentication is not the answer, so the best way to mitigate this is by finding a fraud prevention solution that can protect customers even if their credentials have been stolen.
With Paygilant’s fraud prevention technology these situations would be avoided as this is a holistic solution designed specifically to combat fraud from every angle. This means that we can ensure that only the legitimate users have given their consent, rather than fraudsters who have managed to take over the account/identity. With its fintech approach and mobile-first technology, it accurately detects fraud and enables a frictionless user experience from app launch to ongoing transactions, operating seamlessly in real-time, responding in milliseconds. So now you know it does exist, fraud prevention and seamless frictionless user experience, all in one.
Sources:
https://plaid.com/blog/misconceptions-of-authentication-and-authorisation-why-90-day/
https://www.altfi.com/article/7934_why-we-need-to-rethink-the-90-day-rule
Image <a href=’https://www.freepik.com/vectors/background’>Background vector created by starline – www.freepik.com</a>
