As millions start their Christmas shopping online, there’s a warning that consumers may need to have a mobile phone, and a decent signal, to make sure their transactions go through.
UK banks are starting to introduce a new layer of security, involving passwords sent to your mobile phone. That could be a problem for hundreds of thousands of householders without a mobile, or no proper signal.
Now banks are being urged to find other ways to check a customer’s identity. The new rules are part of an EU directive – already adopted by the UK – which is due to come into force by September 2019.
But critics say many people are likely to be inconvenienced.
“Banks are not yet great at looking after people at the margins – because they’re disabled, or because they live with no mobile coverage,” said James Daley, the managing director of Fairer Finance.
“These systems are designed for the 95% – while the remaining 5% are hung out to dry.”
How does the new system work?
If online shoppers spend more than about £27 (€30 under the EU directive) in one transaction, payment providers will be required to ask for an extra form of verification, usually sent as a one-time password by text to your mobile phone.
The same will apply once you have spent £90 in total on a particular card – or if you make five separate payments of £27.
Further exemptions are also possible – if a retailer decides that your purchase is low risk, for example. In addition, if your bank can prove to the regulator that it has a good record on fraud, it can allow exemptions on payments worth up to about £450 (€500).
UK Finance – the umbrella body for the industry – has told its members that they need to find other ways of verifying their customers’ identities, such as by phoning them on their landline, or by using biometric data.
This could be via a finger-print on the bank’s app, for example.
And, while it is inconvenient and time-consuming, customers can always phone their bank to get a one-off approval for a particular transaction.
What are the banks doing?
Banks are working hard to make things easier for customers. They are also under pressure from retailers, who don’t want anything to interrupt the online buying process.
As one senior executive put it: “there’s a lot of angst” in the industry, as firms try to get things running smoothly by 14 September 2019.
There is also concern that the banks have not yet done enough to communicate the changes to customers.
One bank that has started sending passwords to mobiles is First Direct. It advised anyone having difficulties to get in touch with them.
“We do have alternative processes for customers who cannot use this method, and they may be required to call us to authenticate,” a spokesperson said.
Part two of the Payment Services Directive (PSD2) – which also introduced the concept of open banking to EU member states – is designed to combat fraud.
The new rules are officially known as “Strong Customer Authentication”.
But banks are having to balance anti-fraud measures with the ease of buying goods online. “These changes are aimed at further enhancing payment security and reducing fraud,” a spokesperson for UK Finance told the BBC.
“The requirements will include exemptions for low-risk and low-value transactions to help prevent any unnecessary inconvenience for customers.”