Re: "typically seems to involve being sent an SMS"
Sorry, but that's neither fair nor accurate.
A portion of my job requires a certain level of familiarity with regulations like this - I am (my employer is) in the financial services sector and based in the EU. Strong Customer Authentication - SCA was introduced by all banks in the EU as a direct consequence of European law - the EU PSD2 (EU Payment Services Directive) which - among other requirements - mandates the use of Strong Customer Authentication to replace previously used technologies like sending lists of pre-generated TAN codes to customers every couple of weeks. SMS *might* be cheaper compared to sending so called "TAN letters" to customers, but to be honest, TAN letters were not very expensive either given that it was a mass mailing operation. The environmental benefits were probably significantly higher than the financial benefits of going paperless, plus the customer convenience gain if done properly. Granted, implementing PSD2 correctly is hard and expensive, but Financial Institutions and in general Financial Services Providers have implemented PSD2 quite well - at least in my jurisdiction.
Here's another catch - the EU PSD2 directive is under the oversight of the EBA (European Banking Authority) and additionally the national financial regulatory authority of each individual country the bank is operating in and they each get to decide how secure the "secure" part of SCA needs to be for their jurisdiction - the EBA has provided a minimum via the so called PSD2 RTS (Regulatory Technical Standards). Do a web search for PSD2 RTS if you are interested.
p.s. You wrote "Nobody is around at two in the morning to authenticate each regular payment when it happens". Well, true, -but nobody should be around at two in the morning - or at any time of the day to authenticate anything. It's all done by the machines nowadays ;)
Biting the hand that feeds IT
