Guest bloggers Philip Cooney and Gaurav Bansal explore the pain points around PSD2 and how banks are trying to reduce friction for their customers.
A few weeks ago, I (Phil) submitted my weekly grocery order and set off to meet a friend for dinner. I expected to hear no more about it until my order arrived. But I was wrong.
As I reached the restaurant, I was greeted both by my friend and an alert on my phone. It turned out to be a new step in the ordering process—involving me entering a one-time verification code texted by my bank. Frazzled but unbowed, I entered the code.
But there was more. After dinner I used my card to pay for the meal, but the payment didn’t go through. My phone sounded again with a notification requesting verification. What was going on? And then I remembered the PSD2 project my colleagues were working on.
When a payment takes twice as long, it’s easy to forget that PSD2 was created to benefit us, the consumers. But banks are doing their best to ease the transition and reduce friction.
What PSD2 means for you
If you’re wondering what PSD2 is, here’s a quick explanation: It stands for “Payment Services Directive 2”, a European-wide banking directive introduced on 14 September 2019. The aim was to improve customer rights and protection against fraud, while boosting competition by requiring banks to allow third-party payments (TPP) service providers to access their customers’ bank data and initiate payments for them—provided the customer gives permission first.
In theory, this should translate into a positive experience for customers. But, as I discovered, some of the changes can introduce friction. And the reason is the various checks that need to be carried out to protect people.
First, fraud checks. PSD2 says all transactions must be reviewed for fraud and that banks must build a “360-degree” profile of users. If a user logs into internet banking from an IP address in Dublin, and seconds later uses a credit card to make a payment in North America, the bank’s systems should spot the anomaly and block the payment for investigation. While this adds more safety, it can also add friction for the customer—especially if it’s a weekend and they don’t have an alternative means of payment.
Another aspect of fraud prevention under PSD2 is authentication checks. For online transactions above €30, banks must carry out Secure Customer Authentication (SCA)—which involves verifying the user’s identity using two-factor authentication (2FA) from three elements:
- Knowledge: something the user knows—such as a pin, password or date of birth
- Possession: something the user has—like a phone or token
- Inherence: something the user is—such as thumbprint, facial recognition or voice recognition
The combination of password (knowledge) and one-time password via SMS (possession) used in my grocery order is a basic example of 2FA. As well as adding friction, SCA can even result in users being locked out of transactions for reasons beyond their control—such as losing or forgetting their mobile phone.
The final source of friction under PSD2 is non-standard journeys. It’s up to each bank to decide on the number of steps to complete a transaction and the method of SCA used. So customers with multiple banks will experience different customer journeys.
Steps to reduce friction
While fraud checks will generally be invisible to the customer, SCA is something that directly impacts them. So banks are using several tools to reduce the resulting friction:
- Many banks and card issuers have embarked on customer education to explain PSD2 and SCA. Examples include this video from Allied Irish Bank and infographic from Visa.
- With fraud checks, banks are analysing “false hits” to fine-tune the rules they use and eventually reduce the number of transactions blocked.
- For SCA, banks have the option to build in exemptions—for example, choosing not to invoke SCA if the payer has stored the payee as a trusted recipient. Banks are also trying to implement SCA seamlessly by merging 2FA into a single step. Here, N26 explains how it did this.
- Finally, there are moves towards a common customer journey. For example, most banks in the UK and Ireland have aligned their customer experience with UK Open Banking Implementation Entity (OBIE) standards.
When a payment takes twice as long, it’s easy to forget that PSD2 was created to benefit us, the consumers. But banks are doing their best to ease the transition and reduce friction. As PSD2 becomes ever more embedded in the services we use, we’ll get to a stage where we welcome the higher security—and wonder what the fuss was all about. To find out more, read our report on the PSD2 customer journey.
This blog makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.