When to Apply and When to Skip Strong Authentication (aka 2FA)
The requirements on when to apply strong authentication for the EEA-based customers are outlined in the RTS on Strong Authentication – and they will fully come into force from the 14th of September 2019.
Generally speaking, it’s required to apply strong authentication when:
- The user accesses their online account, and/or
- The user initiates a transaction (single or recurring).
You maybe asking yourself – is it really required to fire 2FA all the time, when the user is using the same card and the same device and buying the same product from the same merchant? Can I just store their card details and allow for a better experience?
Sure! Here is when 2FA is not required:
- View only: a user views their recent transactions or balances, but does not initiate transactions;
- For contactless card payments: single transaction under 50 EUR, or 5 or less contactless transactions under 150 EUR in total;
- For online (not contactless) single transaction under 30 EUR or 5 or less online transactions under EUR 100 in total;
- At parking and transport ticket terminals;
- For corporate customers initiating transactions via dedicated protocols (e.g. API payments)
- When the user created a list of trusted or “saved” counterparties or even when they transact with the same counterparties (without actively saving them in a special list)
- When the user transacts with themselves (e.g. moves funds between their various accounts)
- When the financial institution has a real-time fraud risk monitoring capabilities and their actual fraud levels are not exceeding specific limits (for example, for card-based transactions within 250- 500 EUR range, the fraud rate % cannot exceed 0,01% of the total transactional volume).
If you need guidance on which tools and solutions may help you with fraud monitoring and how it fits into your onboarding process, you are welcome to download my FREE Digital Onboarding Checklist!
