• Olympe Leflambe, General Counsel, Legal and Compliance at Mangopay


• 27.03.2024 12:48 pm

Strong Customer Authentication (SCA) is a requirement of the second Payment Services Directive (PSD2) designed to force EU payment service providers to improve authentication processes. Six years after it became law, Olympe Leflambe, General Counsel, Legal and Compliance at Mangopay discusses the state of authentication in 2024.

1.  What are the key principles of SCA?

For Strong Customer Authentication (SCA), there are three key elements: Possession, knowledge and inherence. Possession is something that you have, so usually it’s tied to a hardware device such as a security token. Knowledge is something you know, such as a password, the answer to a security question or PIN. And for the inherence element, it’s something you are, which in general is biometrics - your face, a scan of your eye, your fingerprint or voice. But it could also be behavioural data that points to you specifically. 

These three factors have not changed since SCA was first introduced in legislation. These factors need to be independent so that if one is compromised, then the others are not compromised, to not jeopardise the effectiveness of the authentication. SCA is technology agnostic, so the spirit of the legislation is that there’s no one solution technically so that innovation can continue and as long as the criteria are met.

2.  What changes do you think would improve payment authentication?

Two things will support the evolution - and hopefully the improvement - of authentication - definitely technology but also the legal framework. Bad actors are becoming more and more sophisticated. It’s not something that’s new or recent, but they seem to have always been on top of technological developments. AI is definitely something that comes to mind, specifically for the inherence factor, so biometric data but also behavioural data - it’s all something that AI can help with. That’s something that has evolved a lot in the past year or 18 months.

On the legal side, the framework for authentication will evolve with PSD3. It’s not enacted yet but there will be some changes to the framework, in particular on broadening the scope and application of Strong Customer Authentication. 

It is important that both aspects, technology and legislation, evolve in such a way that providers can continue to innovate while not introducing too much customer friction and harming their business or that of their customers.

3.  How does the industry balance the need for authentication without introducing too much friction for users?

Friction is not a guarantee of efficiency or success to fight fraud. Friction in itself, especially when talking about bad actors and large-scale fraudulent operations, is unlikely to be successful. To determine what’s an acceptable level of friction there’s a couple of things to take into account.

One is customer-centricity. For Mangopay, for instance, we want to be as customer-centric as possible and provide the best experience possible. Friction is something we look to minimise as long as it’s not to the detriment of our anti-fraud measures. There’s a risk appetite as well. You might have zero fraud and lots of friction but then you probably end up protecting yourself against your legitimate customers, so you’re going to lose legitimate transactions.

Is there an intelligent way to use friction? The best way is to be data-driven. So, what’s the impact on conversion? What’s the impact on fraud? But also, what else is available - what other measures are available that do not introduce friction and that have the same efficiency? 

The inherence element of SCA means authentication can be invisible when you’re relying on the behavioural factor - users often don’t know there’s authentication but there is. But you’re protected as efficiently and that’s a good way to think about friction and how to assess the impact on the customer experience. 

4.  Finally, what role will AI play in customer authentication?

AI will play a big role because of the benefit of being more sophisticated in identifying certain patterns and working with behavioural data but also with being more reliable when using the scan of your face, or eye or fingerprint.

But at the same time the technology is going to be leveraged by fraudsters and bad actors. We already see that in the AML world, with likeness checks and the use of deep fakes. So this is something that AI has been used quickly to circumvent certain checks.

Hopefully, as an industry, we’ll be able to leverage the technology better and as fast as the bad actors are doing it. I’m curious to see what the AI act will mean for this industry and hopefully it will not slow or hinder innovation.

I think it’s really important to not think about strong customer authentication in isolation. It’s not a magic bullet, or a unique solution. It’s something we have to do and it’s definitely a useful tool but it would be dangerous to think because we have it in place then there is no fraud.

When you have strong expertise of anti-fraud management, for instance with Nethone as part of the Mangopay group, SCA is one of the many resources we have to make sure that we detect fraud and I think that’s really important to remember - it’s not something to take in isolation of other measures to fight against fraud.