Risk-Based Authentication is a dynamic, parameter-driven system that determines the risk level of an individual transaction and appoints an appropriate customer authentication method accordingly. By applying such an approach, RBA helps prevent various types of attacks present during the processing of online payments.
To score a transaction, data about typical user behavior is necessary. RBA collects and analyzes parameters such as:
Based on mentioned parameters, a transaction is deemed either low, medium, or high risk.
In case of a low-risk transaction, the customer is able to process a payment without applying further authentication.
In case of a medium risk transaction (e.g., unknown device), the customer is asked to provide additional information in order to process a payment.
In case of a high-risk transaction (e.g., unusually high transaction amount, unfamiliar location), the user is automatically denied access and cannot process the payment.
Risk-Based Authentication does not only help prevent unauthorized processing of transactions but significantly impacts customer experience by eliminating user friction. That being said, RBA promotes a smooth user experience for legitimate customers while making things difficult for fraudsters.
The end goal regarding the user experience is to determine the level of risk for each individual transaction in order to avoid unnecessary authentication steps for low-risk transactions. By doing so, user friction is removed from the equation, making the processing of a transaction both secure and enjoyable for the customer.
With better customer experience comes customer loyalty. Studies have shown that banks that approached digital transformation by implementing RBA enabled quality engagement with their customers making them less likely to switch.
RBA is responsible for cutting fraud-related losses. By implementing Risk-Based Authentication, banks are able to detect and prevent fraudulent activities, resulting in a decrease of chargeback costs.
Strong Customer Authentication required by the PSD2 directive implies verification by selecting two out of three authentication elements: something you know (e.g., PIN, password), something you own (e.g., smartphone, HW token), and something you are (e.g., fingerprint, face recognition).
Thanks to RBA, not all 3D Secure payments demand SCA. SCA exemptions are based on Risk-Based Analysis, enabling less friction without compromising on security. In other words, RBA allows the customer to avoid an authentication step while keeping the transaction secure.
SCA exempted scenarios relying on RBA are the following:
Low-value payment – Transactions below 30 euros are considered low value and do not require an additional authentication step during the processing of a transaction. However, if a customer initiates more than five such transactions or the cumulative value of the transaction exceeds 100 euros, SCA will be applied.
Merchant whitelist / Trusted beneficiary - A cardholder is enabled to flag individual online merchants as ''trusted'' with their issuing bank in order to avoid SCA during the checkout process.
Transaction Risk Analysis exemption – The most sophisticated exemption involving several different factors that need to be taken into account (e.g., overall fraud rate for that particular type of transaction).
Secure Corporate Payment exemption – A transaction initiated by a legal person rather than a customer that does not require an additional authentication step.