Strong Customer Authentication

Video transcript

Thanks very much, (John). Welcome, everybody, and welcome to the third Evolving Insurance call that we have run so far this year. On this call, we'll be looking at the impact of the PSD2 regulation, particularly around SCA, or Strong Customer Authentication, and really its impact on premium collection of our card payments. As (John) kindly pointed out, you can ask questions on the platform, so please do that. We'll also give you instructions at the end how to ask questions. We know people aren't always very keen on doing that, so if you have got any questions as a follow-up to this, please get in touch with your relationship director. They'd be really happy to connect you with the right people in the Barclays group and across Barclaycard.

But to that end, without any further ado, I just wanted to introduce Paul Manktelow. Paul has worked at the Barclays group for over 10 years now and he currently sits in our Barclaycard payment solutions area really acting as a consultant to our clients looking at optimizing their payment strategies and so Paul obviously is very close to this and is going to give us a little bit of an overview to Strong Customer Authentication and its impact. So Paul, I'll hand over to you if that's OK.

Thank you, Henry, and good morning to everyone on the call today. So we thought it would be a good idea for us to be able to give an update with regards to PSD2 and more specifically, Strong Customer Authentication, also known as SCA. And as part of that, what we wanted to do was just very loosely recap on PSD2 directive, so Payment Services Directive 2, and what that means and what it entails as part of the agenda. Then we are going to recap on Strong Customer Authentication itself, what has changed, what does that mean for you as premium collection and then finally, any questions that we may have at the end.

So Payment Services Directive 2 is a very broad subject. Many of you will be close to what impact that will have on your business and it came into place on 13th of January, 2018. Amongst other elements, this has driven three key initiatives that you may be familiar with.

Firstly, payment initiation service providers, also known as PISPs, these are service providers who can initiate a payment transaction on behalf of a consumer, account information service providers, also known as AISPs, an example of these would be – an example of these would be something that enables consumers to access account information from separate bank accounts via a single portal, and Strong Customer Authentication, also known as SCA, which provide further insights on today's call.

So why was Strong Customer Authentication, SCA, introduced? Quite simply, the payments industry and consumers have been suffering an awful lot of fraud certainly over the past 10 years. There is continued fraud growth and that fraud growth has tripled since 2010.

If we cast our minds back to 2004 and the introduction of chip-and-pin, fraudsters have really been looking at ways to be able to conduct more fraud given that the channel for them conducting fraud in a face-to-face environment has somewhat fallen away.

And fraudsters, as they will, as their nature, will move to channels that are more vulnerable, those channels that have a weaker link and with that, the significant growth of e-commerce has resulted in and directly correlates to a significant growth with fraud in the payments arena also. It's worthwhile pointing out here that 59 percent of all card fraud is in the e-commerce channel. So what is Strong Customer Authentication? So new authentication requirements aim to reduce fraud. An EEA transaction, European Economic Area transaction, initiated by a customer is subjected to Strong Customer Authentication. Two-factor authentication will be required. So unless that is, of course, one of the exemptions could apply.

Now, only two factors of three are required here. So just to outline what the three factors could be. So one would be possession, something you have, that could be a smart device, a wearable device, a computer, laptop, et cetera, inherence, who you are, this could be a fingerprint to access a device or a mobile banking application, and knowledge, what you know, this could be a pin number, et cetera.

So what is the response? There's a more robust measures that required to underpin the card payments. Where have we come from? Where are we now? What do we need to go to? Well, technology has allowed for more consumers to transact more often and whilst – and whilst on the move using technology such as smartphones, tablets, et cetera. Strong Customer Authentication is leveraging these technologies to secure transactions for both the consumer and the merchant.

So what's out of scope for SCA or Strong Customer Authentication? So firstly, mail order and phone order, otherwise known as MOTO. These are where transactions are placed through a call centre more often than not. Secondly, merchant-initiated transactions, more commonly known as MITs. This is where first transaction on card must be authenticated. However, after that, if flagged correctly, authentication, as such, does not need to happen. It is out of scope.

Customer and merchant have a pre-existing contractual agreement is one of the requirements for this MIT transaction to be out of scope and customer cannot be expected to be present to form the SCA on this quite obviously.

Thirdly is the one-leg out transactions. This is really where either the issuer or the acquirer resides outside of the EEA, the European Economic Area. An SCA would be only required here on a best effort basis and two examples here given. So one is where an Australian cardholder makes a purchase on a U.K. website or, secondly, a French cardholder makes a purchase on a merchant site in the U.S. Anything out of scope, it's worth noting here, could be a point of vulnerability in the future and another point of note is that 22 percent of fraud in the card-not-present space is in the MOTO environments.
So how do the exemptions work? There's several exemptions that can potentially be utilized by premium collection here in different scenarios. Not all here will apply to premium collections. Some will be more specific to certain industries. However, it's worth noting that issuers still hold the final say for all exemptions.

A couple of the ones I'm going to pull out here just for real reference on this call would be, firstly, the low value exemption. So these are transactions below €30. These are exempt for up to five consecutive transactions or an accumulated value of up to €100. That's really based on the issuer metric for how that they will be imposing this particular count and that will differ issuer by issuer, but it's certainly worth bearing in mind, with these transactions and with this particular exemption, that exemption is available, but again, it will be at the discretion of the issuer.

Recurring payments, these are a series of payments of the same value to the same merchant, such as a subscription or a premium collection that may happen on a recurring basis. So they're two that I really wanted to call out for this particular call. What has changed? So many of you will have been in dialogue with either Barclays or your incumbent providers around Strong Customer Authentication and will have been working towards a deadline of the 14th of September. A number of you will also have made changes to comply with the regulation for the 7th – for the 14th of September. It's worthwhile stating that September the 14th still remains and is the regulatory date.

However, there have been some movements with regards to a phased rollout that's come from the FCA specifically for the U.K.. This rollout is now over an 18-month period that leads us up to March 2021. Again, this is for U.K.. For pan-European merchants, currently each national competent authority has set their own managed rollout or extension that the EBA, the European Banking Authority, may choose to baseline these dates in the coming weeks. On that, we'll have to wait and see what is – what comes out from the EBA.

So where does this leave us? February 2020 is the latest time for U.K. issuers to begin applying two-factor authentication to transactions deemed high-risk today, September 2020 issuer and acquirers to be operationally ready for 3DS V2.X we have there and March 2021 issuers will actively begin to decline non-secure transactions where exemptions are not applied. Got a note here and this is worth bearing in mind, being ready sooner rather than later. Merchants can limit the potential for step-up to 3DS or, more importantly, transaction declines.

So what does this mean for you? What's really important here is for premium collections to be finding the right level of balance and what we mean by that is to balance the risk of a transaction and fraud by the customer journey and acceptance rates. So really here there is an increase in opportunity to drive sales if premium collections get this absolutely right.

One of the points of note that I would like to make is that many of you on the call today will already be submitting transactions and flagging those transactions and challenging for 3D secure, so this is the current step-up process.

What is worth noting is that in the build-up to the 14th of September and even, to some degree, on certain issuers to-date as well is that a number of those transactions will be receiving what is known as passive authentication. This is where the issuer makes a risk decision based on static detail within that transaction, that level of detail within that transaction.

So to-date, there will be an element for those transactions that will be passively authenticated, but when SCA comes fully into play, it will be on an active authentication basis. This is using one of the two of three authentication methods. So what does that really mean for you and what have you experienced to-date? Well, quite simply put is that you will be measuring your conversion rates already and that will be based on basket conversion and decline measures. However, what you might not be measuring on at present, because it's very difficult for a business to be able to measure on this, is the number of transactions that are accepted, but go through as passively authenticated.

Now, this is very much likely to change and these dropouts rates change when SCA comes fully into flow and then you'll start to potentially see the number of dropouts or non-converted transactions because of the impacts of SCA.

The exemptions on offer can help you as premium collection businesses. So firstly, they can reduce transaction latency of 3D secure step-up process. They can reduce abandonment of baskets and increase those transactions – those authorized transactions coming through, therefore increasing sales. There is the ability through this process also to reduce cost and this is by using some of the exemptions or one specific exemption that we'll touch on shortly where qualifying transactions will avoid the need for 3DS verification which, in turn, reduces the associated cost of the 3DS verification that comes from the schemes.

There's potential increase in revenue, (as) we've touched on already, as a result of the above and improved customer experience, lower basket abandonment and higher customer conversion and offer a smoother, consistent customer experience. Exemptions can offer customers a consistently low friction experience.

A number of the conversations that I'm having at the moment is not necessarily to look to achieve utopia with the – with the customer experience, but quite simply, how can a merchant – how can a premium collection business look to maintain its current customer experience? And that's really important to a lot of businesses right now and they don't want to upset the balance with their customers, be it returning customers or new customers to them.

So what we'd like to do is we'd like to introduce a solution that we are bringing to market which is something that we've termed Barclaycard Transact. Now, Barclaycard Transact helps you make most of the change in payments landscape by turning PSD2 into an opportunity for your business to differentiate itself from the competition. Increasing sales is vital to any business and security's key. With Barclaycard Transact, you can achieve this with intelligent insights. You can also deliver a smoother payment experience for your customers by accepting more transactions and minimizing disruption through the journey.

Now, Barclaycard Transact itself is one of the exemption – is based on one of the exemptions that's on offer that wasn't listed in the earlier exemptions and we've done that on purpose. So Barclaycard Transact works on an exemption which is known as a TRA exemption, or a Transaction Risk Analysis exemption. The Transaction Risk Analysis is at acquirer level. So what that means is that all acquirers, all merchant processors within the market will have to analyse their transactions and the fraud ratio of their transactions and report them back in line with the regulation.

That regulation then stipulates that dependent on the fraud ratio of that acquirer at acquirer level, there will be certain value of exemptions that are on offer. Barclaycard is really well placed within – Barclaycard is really well placed with its fraud ratios and there's a lot of conversations that we're having with businesses at the moment, including businesses within premium collection, where we feel that we can really add value to being able to offer those exemptions and either maintain or improve that current customer experience. So a few of the – a few of the examples that I want to highlight just to bring really this back to premium collections is where a first transaction may be on card and subsequent monthly transactions may be by direct debit. This could definitely be TRA or a Barclaycard Transact consideration.

The second that I want to bring to life is whereby a first transaction is on card and a monthly recurring card transaction beyond that. There's no TRA consideration here or there's not necessarily a remit for Barclaycard Transact for per se. This is largely because that recurring card transaction would be classed as merchant initiated. However, you can have a conversation with Barclaycard in order to understand how you can look to authenticate that initial capture of that card detail and process that in order to flag those subsequent transactions as merchant initiated recurring transactions.

The third example I would like to bring to life is whereby first card transaction or first transaction is by card and this is a full premium payment with an intended annual renewal. Now, this may not have a TRA consideration in line with Barclaycard Transact. However, the annual renewal must take – must take place within 365 days. Again, it's definitely worth a conversation with Barclaycard in order to understand how you can capture those first card details – or those card details in the first instance and flag that transaction properly beyond that.

The next one that I want to highlight is whereby first transactions on card. This is a full premium payment and this is absolutely a Barclaycard Transact consideration. This is where we can apply our acquirer exemptions. However, we would need to ensure that that would be below the TRA limit and the TRA limit we can have discussions with you to give you a better understanding of what that looks like.

Final one that I just want to highlight here is for ad hoc transactions. These could be things such as policy amendments and these certainly would be Barclaycard Transact considerations and where we can apply exemptions, again, dependent and subject to the TRA, the Transaction Risk Analysis, limit as guided by regulation.

So what's the Barclaycard recommendation to merchants? Our recommendation would be to prepare for use of 3DS Version 2.1 if you haven't already done so. Do not wait until the last minute to be able to do this and we are available for contact to be able to help guide you down the right path and to be able to give strategy and insight in which way you should be turning to be able to go down this route. Increase use of correct flagging per schemes and the recommendations for that. Example of that would be MOTO transaction, merchant-initiated transactions, recurring, et cetera. Maximize merchant use of exemptions, including the acquirer exemptions that I've touched on and these are the Transaction Risk Analysis exemptions that are on offer from Barclaycard and Barclaycard Transact.

And there will be technical challenges that remain to be worked through and Barclays are working with U.K. finance project management office and we're hoping for more news and information to come out over the coming weeks and months. Henry, over to you.

Well, Paul, thanks very much for giving us an overview there and look, I know there was a fair amount of detail and granularity in that and I imagine it's probably raised a few questions. If you have any now, please do let us know either on the web platform or on the phones. We'll just get – (John), would you mind just giving people the instructions on how to – how to ask a question?