Cybersecurity approaches in the U.K. and Europe provide learning opportunities for U.S. banks, despite major differences in regulatory and business structures. What follows are three cybersecurity tactics that are working in the U.K. and Europe:
1. Mandatory multifactor

Multifactor authentication (MFA) has been much maligned by banking customers for its clunkiness and relative inconvenience. However, mandatory MFA, which was part of the PSD2 regulatory framework for European payments regulation, was key to reducing fraud attempts in the U.K., Hardeep Rai, product director, fraud prevention at California-based risk operations fintech Feedzai, told Bank Automation News. PSD2 is a 2018 European digital payments directive, which included regulation on open banking and made strong customer authentication (SCA) mandatory.
“The reason for strong customer authentication was, there was a clear need to secure this new API channel,” Rai said. “But it was also seen as a way to reduce fraud generally. It brought in a minimum requirement of authentication, so you must have two factors of authentication for all transactions, or most of the transactions.”
This created a feeling of “table stakes” and forced banks to rethink their authentication approach, moving away from unwieldy authentication processes that spanned multiple platforms and could result in customer attrition, he said. Many European banks now offer streamlined SMS-based authentication procedures that highly reduce fraud.
“The truth is that level of authentication is far nicer and cleaner, and customers are willing to go through it,” Rai said. “So, you get a double benefit, where you’ve got nicer customer experience, but you’ve also got less fraud, because you’ve made that channel more secure.”
Irregular deployment of MFA has caused issues for U.S. customers, Sai Huda, founder of San Diego-based cybersecurity firm CyberCatch, told BAN.
“We think that it should be used more broadly in the United States,” Huda said. “When it’s used, it’s used for certain use cases, or it’s for privileged users only. But frankly, it’s time.”
2. Confirmation of payee
Confirmation of payee, in which a bank triggers an API call to another institution to certify that a payment reached the correct destination, has proved an important “small step” in creating friction for fraudsters in the U.K., Feedzai’s Rai said.
“They’re not silver bullets,” Rai said. “Confirmation of payee has been live for nearly two years. It’s not fundamentally changed the fraud, but it’s another small thing that helps. Fraudsters will find ways around this — they always do — but it’s just putting more friction in their way.”
3. Contingent reimbursement
Not all of Europe’s cybersecurity methods are regulation-inspired: A voluntary code for maintaining consistency in fraud reimbursement has gone a long way toward limiting scams and account takeover fraud, Rai noted.
“The contingent reimbursement model is not regulated in the U.K., but it’s a voluntary code that a number of the banks in the U.K. signed up to, with the sole purpose of bringing some consistency to when a customer gets refunded,” he told BAN.
This code assuages difficulties in recovering lost funds for customers whose banks may have different standards for what constitutes fraud and establishes a strong code of conduct for banks in the U.K.
Regulatory hurdles
Many of Europe’s cybersecurity developments stem from sweeping regulatory directives, which are not totally replicable in U.S. banking ecosystem. However, industry leaders and banks alike would be best served to take a close look at what Europe has done, John Horn, Aite-Novarica Group practice director, cybersecurity, told BAN.
“EU regulation pertaining to Cross-party (or cross-jurisdiction) Customer Identity has been excellent,” Horn said. “The EU’s Electronic Identification and Signature (eIDAS) regulation in 2016 set great rails for EU Member Nations. By end of 2020, 19 Digital Identity formats across q5 countries were interoperable in Europe. US government and industry leadership would be well-served to study the success of EU Identity regulation as US federal Digital Identity is being considered.”
Bank Automation Summit Fall, taking place Sept. 19-20 in Seattle, is a crucial event on automation and automation technology in banking. Learn more and register for Bank Automation Summit Fall 2022.






