As strong customer authentication (SCA) has become widely adopted in Europe and more countries are likely to follow, VIXIO is looking at what has been done in the US in terms of the regulation and what lies ahead.
The SCA was introduced in the EU as part of its revised Payments Service Directive (PSD2) and requires authentication to use at least two of the following three elements: something you know (knowledge); something you have (possession); and something you are (inherence).
As early evidence seems to indicate that SCA is an effective tool to reduce card-not-present (CNP) fraud, more regions are likely to follow, especially given the growth of digital payments around the world in recent years.
One of the main challenges hindering the widespread adoption of SCA, or multi-factor authentication (MFA) as it is more widely called in the US, is the extra friction it adds to the payment process.
This not only affects the user experience but may also cause financial losses for businesses due to higher cart abandonment rates which critics argue outweighs the costs of fraud.
“MFA tools can be complicated and have a steep complicated learning curve for customers,” according to Bob Bilbruck, CEO at Captjur.
“They tend not to be user-friendly, requiring specialised training and marketing outreach by the bank to teach customers how to use them,” he added.
Although convenience is paramount for businesses in Europe, it is even more so in the US, Jason Bohrer, executive director of the U.S. Payments Forum, told VIXIO. Hence, any element that may complicate the user experience is weighed very heavily before businesses decide to roll out a new technology.
In recent years, several US regulators have made statements pressuring financial institutions to implement some sort of customer authentication.
In October 2021, the Federal Trade Commission (FTC) updated its Safeguards Rule, which is set to go into effect in two weeks and which requires financial institutions to use MFA both when external users, such as customers, and internal users, such as employees, access a system containing customer information.
In an August 2022 circular, the Consumer Financial Protection Bureau (CFPB) stated that it is likely unlawful if a service provider “does not require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent”.
The Federal Financial Institutions Examination Council (FFIEC), a multi-agency standards body for financial institutions, has also issued numerous sets of guidance, the last one in 2021, encouraging the adoption of MFA.
Additionally, in May 2021, President Joe Biden issued an executive order setting out a zero trust strategy for government agencies, ordering them to implement MFA and encrypt all data stored or transferred.
Building on the presidential order, in early 2022, the Office of Management and Budget (OMB) released a memorandum with a detailed strategy to implement MFA for government agencies.
Although the memorandum is aimed at MFA within government agencies, the recommendations set out by the office are generally considered important guidance for the private sector too.
Banks now view MFA as the “minimum industry standard” for stronger authentication assurance and experts say payment firms have made significant steps to implement MFA.
“The payment industry has indeed embraced MFA,” according to Piyush Tripathi, lead tech engineer at Square. However, he noted, the adoption of MFA is not uniform across all organisations and sectors.
Congress unlikely to mandate
Experts are to some extent divided as to whether Congress would step in and legislate MFA.
According to Tripathi, such a move could be warranted given the increasing importance of cybersecurity and the need to protect consumers’ financial information.
However, considering the generally light-hand regulatory approach based on industry consensus, it would be highly unusual for members of Congress to legislate specifics to such detail.
Currently, MFA is mainly positioned as a “best practice”, Bohrer said, and it is unlikely to change in the short term.
Even if policymakers were to encourage more adoption, it would probably take a less prescriptive form than what Europe took with an outright mandate.
In a more likely scenario, policymakers may push for more adoption by shifting the liability to one specific party. This will prompt that party to swiftly adopt the necessary security protections, similar to what happened with EMV standards, Bohrer noted.
When card networks introduced the EMV chip to better counter in-store payments fraud, merchants were reluctant to switch terminals due to the complexity and costs involved in the transition.
But in 2015, the card networks changed their rules, shifting liability from issuing banks to merchants for fraudulent transactions processed via non-EMV-compatible payment terminals.
Some argue this marked the beginning of a new era for accepting payment cards in the US, which eventually led to chip cards becoming ubiquitous in the country.
MFA could follow a similar path, according to Bohrer.
“Whoever is going to take responsibility, they are going to make sure that the security is there first and foremost and try to mitigate any type of financial exposure even at the expense of convenience,” he added.
It remains to be seen whether Congress eventually moves to legislate MFA in the longer term, but there is inarguably growing pressure coming from the Biden administration to encourage widespread adoption of MFA in all segments of the economy.