SCA Banking Institution Updates
Banks are implementing SCA checks by sending a one-time passcode (OTP) by text or email, which customers must enter online for authentication. Other ways banks are implementing SCA requirements is through the use of encrypted push notifications via their mobile banking apps, automated calls to the customer's landline, and through a card reader/PIN device.
- Strong Customer Authentication (SCA) places a requirement on banks to identify every customer using a minimum of two of the following three independent factors of authentication: information only the customer knows (a password, pin, or the answer to a security question); something only the customer controls (a card reader or registered mobile device via which they are sent verifying information); and a physical identifier unique to the customer (a digital fingerprint, voice pattern for FaceID).
- SCA came into effect on September 14, 2019, but not all banks have implemented the changes; those that haven't are expected to comply within the next 15 months to March 2021.
How Banks Are Implementing SCA
- Banks are implementing these SCA checks using encrypted push notifications (via mobile banking apps), which are considered the most secure form of two-factor authentication. These encrypted alerts confirm the transaction amount and payee, and the customer authorizes the transaction by fingerprint ID or other biometrics.
- Another way banks are implementing SCA checks is by sending a one-time passcode (OTP) by text or email, which customers must enter online for authentication. Since messages can be hijacked, this is not as secure as push notifications.
- For customers who don't have a mobile or are in areas with poor mobile network coverage, some banks allow for codes to be sent via landlines. Such a customer has an option of automating a call to their landline, through which they receive a code via automated voice that they enter into the bank's website.
- Authentication can also be done using a card reader/PIN device. The customer inserts a card into the card reader and enters a four-digit PIN. The card reader then generates a unique eight-digit code, which would then be used to complete the online transaction.
- HSBC UK, Santander, and M&S Bank all use security questions to authenticate customers who may have forgotten their passwords. Customers can reset their security questions by first providing answers to the current security questions. Those who may have forgotten the answers to their security questions calling the administrator, bank (Santander and M&S Bank), or their automated service (HSBC UK), and they would be authenticated over the phone.
- According to HSBC UK's customer authentication brochure, in which it explained its implementation of SCA, HSBC cardholders may need to authenticate online payments using Visa Secure. Cardholders don't have to register with Visa Secure to receive an OTP, which is an upgrade from passwords.
- HSBC UK's SCA options as of September 2019 were SMS codes, email codes, and the landline option, as described above.
- HSBC UK customers can receive OTP codes via email, but only on a limited or temporary basis.
- M&S Bank uses Verified by VISA or Mastercard Identity Check to protect online shoppers who use M&S Debit Card and Credit Card. They don't need to register; all they need do is ensure that their mobile numbers are up to date so that they can receive the OTP by SMS to complete online transactions.
- M&S Bank customers can receive OTP codes via email, but only on a limited or temporary basis.
- As of September 14, 2019, M&S Bank had already implemented SCA for current account logins, and credit cards were expected to follow. For customers who don't use its mobile banking app, it was expected that they would be able to order a physical M&S Pass at a later point this year for authenticating internet banking transactions.
- Altogether, M&S Bank's SCA options as of September 2019 were SMS codes, email codes, and the landline option, as described above.
- According to a Santander spokesman, "In addition to providing their ID and security numbers, customers will need to confirm their identity either through our convenient mobile banking app or by giving a one-time passcode which is sent to their phone."
- This statement is in tandem with information available on Santander UK's website regarding the changes in online banking stemming from the new SCA regulations.
- As of September 2019, Santander's SCA options are the SMS code (OTP) and push notifications via its mobile app.
- The bank is expected to introduce SCA checks for login in the first quarter of 2020.