Community
Four Types of Regulation
After having lived and worked in the US, UK, Switzerland, Japan and India, I have formed a view that each country's approach to regulation mirrors how we chastise kids in the family for saying stupid things at the dinner table. Here's how:
PSD2: A Fifth Type of Regulation
PSD2 is a historic intellectual achievement in that it's motivated by innovation, not proscription. Generally, we think of regulators as old, cynical, parental beings that moralise and punish incessantly. PSD2 is more like a series of snapchat messages that a spunky kid in shorts and flip-flops wrote on an iPhone. Or maybe, some grandpa retired banker got jealous of his grandkids having all that fun posting messages from Amazon onto Twitter and Facebook, or using Facebook to log onto everything and exclaimed... why can't I do that with money? Why can't Amazon take me to my Barclays account and voila, I buy that toy my grandkids have been inseperable from...
Regulation as an Instrument of Competition
Unlike those Americans, we Europeans are people of refined sensibilities. This is reflected not just in the stuff we make i.e. Nespresso, Patek Philippe, Prada and Chanel, but also in the enormous value we supposedly place on privacy.
Especially since Eddie Snowden revealed all, we have been using a four letter word called GDPR (Global Data Privacy Regulation) to put Silicon Valley firms where they belong, which is, outside Europe. To some extent, this is a response to how the six US regulators have been pushing European banks where they seem to think European banks belong, i.e. inside Europe.
If the Americans were just prying over our selfies and tweets, we could have lived with that, but no... they want all of their tax cheats that buy a good chunk of our Pradas and Chanels to pay their taxes in America... and that's taking Uncle Sam's arms a bit too close... Swiss Secrecy and GDPR are basically about that methinks.
Enter PSD2... Surprise!
It's quite remarkable then that the Europe of GDPR came up with the idea of allowing Amazon (PISP and thus also the Spamazon of Siberia or Nigeria) to access (XS2A) my bank account (ASPSP) and pay for that funky toy or create a dashboard across my accounts (AISP) without going through Worldpay or Visa.
As it stands, the times of payments were always a-changing even without Paypal, Apple Pay, Merchant Wallets, PSD2. Bitcoin, P2P payments etc. were going to make existing oligopolies irrelevant anyway. So I find it quite incredible that European regulators chose to accelerate the process of change rather than entrench existing powers, as regulators often unintentionally do.
I suspect there were three motivations involved here:
Liberte', Equalite', Fraternite' and Oops... Securite'
Thing is, money is funny. I am not going to go into the high-school orthodoxy about store of value, unit of account and so on here. It's sufficient to say that money is associated with our need to survive with at least half as much intensity as our body parts are. It's one thing for Hacker Hackerovich of Siberia to hack into my Gmail and send incriminating emails, and it's quite another for him to take my money and send it to Ying Yang of Beijing without my knowledge or permission.
And open API access to money... well, really?
Enter Strong Authentication
So grandpa Yanis Technophilis of EBA asks around and Cyber Cyberos of Cyberia says... hey, use that magic bullet of strong authentication. That btw, is a fancy name for making sure that for every transaction, customer Joe Smith proves three things
1. Joe's doing it (Inherence).
2. Joe knows something only he knows (Knowledge).
3. Joe has something he's supposed to have (his iPhone or token).
As it turns out, strong auth is kinda hard... and the hardest part is inherence. Biometrics are one way of showing Joe's the dude but Biometrics aren't particularly fake proof either. Maybe behavioural proof is needed, but I can potentially copy behavior as it's captured in bits and bytes.
If we tie behavior and posession together i.e. force Joe to access the account only through one particular phone... he's not going to keep this account for long is he?
Well... Privace', Usabilite', Securite' is the new cry of the European revolution...
Enter Identity and REPUTATION Systems... Customer, Who?
If you've been reading along so far and you've been anywhere near a big bank's multiple customer or account databases from the loans, mortgages, savings and cards business, I am sure you're already wondering, "How on the planet will a big bank bring all of that data together underneath a fancy API correctly and cleanly"?
Single customer view is hard enough, and now PSD2?
And it gets worse.
If we look closely at the sharing economy tools like Uber, AirBnB or Tripadvisor, all of these tools rely heavily on reputation. Drivers and Passengers rate each other on every transaction and the next time they have a chance to meet, they can choose to look at each other's ratings, or reviews and say yes or no to the transaction.
Open that Fraud Account
Reputation can be determined (scored) by a single provider or by a network of providers. When BigBank KYCs a dude and then track his transactions, the dude forms a reputation over time within BigBank's network. If dude fails to pay his bills or runs non stop overdrafts, BigBank hesitates to give him a loan next time. Thing is... dude can keep all his misbehaviour to NotSoBigBanks around the world, and be the nicest bunny that ever opened an account with BigBank.
Credit Scoring is the most common way reputation systems work in finance, and indeed, reputation works when reputation is shared across a network. Seriously, if you are looking to marry dude, you might want to ask his exes and his friends too and not just rely on dude treating you nice so far.
Unfortunately reputation systems require a notion of shared identity across the network. If Joe Smith misbehaves while using his NotSoBigBank account, BigBank needs a way of knowing that it's the same Joe Smith who's requesting this risky transaction. Maybe BigBank also would like to know that Joe's been returning 90% of his purchases and providing abusive reviews on Amazon, while saying all nice things about Spamazon, which by the way, has a low reputation itself.
Having our Privace' Cake and Eating Our Securite' and Usabilite' cakes too!
So here we are, full circle...
And there went privacy, out, out, out of the window... back to where the Americans left us with Eddie Snowden and the NSA...
PSD2 and is pretty awesome... progressive, bold and innovative, but we probably need to rethink privacy... similar to how we kept cameras on the granny that trashed the little cat in London... to make it all work.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Nkiru Uwaje Chief Operating Officer at MANSA
03 October
Sireesh Patnaik Chief Product and Technology Officer (CPTO) at Pennant Technologies
02 October
Jelle Van Schaick Head of Marketing at Intergiro
01 October
Ruchi Rathor Founder at Payomatix Technologies
30 September
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.