PSD2 is currently the hot topic in the payments industry in Europe. One of the main changes is the creation of new payment actors: Third Party Providers (TPP). We will witness several non-banking entities enter the payments space as TPPs, for example
social media platforms and other Fintechs. In a digital world where about 50% of buying decisions are initially researched via social networks or other online and mobile applications, this will be a a game-changer for traditional banks and financial organisations.
These changes will undoubtedly open new channels and offer a wider range of value-added services but they can also contribute to increased risk of fraudulent activities.
Elevated Risk Landscape
Traditional financial organisations have so far enjoyed a bilateral relationship with their customers. Things will soon change with when the TPPs enter the market with new services. Consequently, as custodians of the customer accounts, banks will see an
even higher volume of transactions. This will be on top of requests through their existing digital channels, already challenged with growing consumer demand for mobile payments but will soon also include new requests made via TPPs. As banks cannot deny access
to TPPs as per the PSD2 mandate, their existing fraud detection systems will be under pressure to cope with the new payment channels. Banks will require a robust, powerful and scalable fraud management platform to sustain the high data throughput and
the velocity of requests in real-time. The window for investigations will be significantly reduced and banks will need to rely on automation and advanced analytics to mitigate the increased fraud risk.
New Payment Actors Introduced
Following the RTS go-live (scheduled for Q4 2018), AISPs and PISPs will be geared up to offer their services to consumers, acting as intermediaries between the end-customers and their banks. The banks will remain the custodians of funds in
the customer accounts and the onus is therefore primarily on them to ensure that the incoming requests are not fraudulent. Banks already face an existing challenge to secure online transactions as it stands. After PSD2 this problem will be further exacerbated
as the requests could be made via third parties where the bank will not have direct interactions with consumers. Requests made via TPPs may be susceptible to third party fraud powered by malware or social engineering techniques and fraudsters could
use the TPPs as an obfuscation layer to confuse the banks’ fraud defences.
Access to Accounts (XS2A)
A major change introduced by PSD2 is the access to banks’ data infrastructure and customer accounts through APIs. Any new digital channel carries inherent fraud risks and fraudsters could seize this opportunity to impersonate genuine customers, harvest information
on them through AISPs and use same to open fraudulent credit accounts on their behalf. XS2A can also be an attack vector for data breaches where banks could liable to heavy fines under regulations like GDPR. Standard business rules or even existing
predictive models might not be effective against such risks. There is also concern that banks may not receive all the relevant data through TPPs (e.g.: device information, session data, etc.) and this could impact the effectiveness of existing customer profiling
tools and existing predictive models. One way to tackle address this conundrum is to use forward-looking analytical techniques such as anomaly detection. For example, deviations from the peer group pattern for an AISP can be indicative of malware/cyber-attacks
aimed at harvesting customer information. Likewise, a high value transfer to a foreign account made through a PISP can be deemed anomalous for a customer with no such history.
Secure Customer Authentication (SCA)
The first step across most online fraud schemes is to gain access to the victim’s account. Strong user authentication is a key factor in mitigating such risks of account takeover and PSD2 stipulates the mandatory use of 2-factor authentication (2FA) for
most transactions, with a few sensible exceptions. The challenge however is not so much around securing access to accounts but rather in balancing security and user experience. The optimal approach lies in adaptive authentication which monitors
all relevant risk factors (e.g.: device, channel, value, etc.) and adopts a customer-centric approach for a tailored and robust authentication mechanism.
Identity management, through user validation and verification, is equally highly relevant to secure authentication. eIDAS, an EU Regulation on digital identification for electronic transactions, provides the legal foundation individuals and businesses
to safely access services and transact in virtually ‘one click’. Many financial organisations are considering the use of this federated identity management solution to partly fulfil the SCA requirements of PSD2. Anyhow, regardless of the authentication process
used, all PSPs need to ascertain that each access request is legitimate, ideally through a fraud security layer using analytics to ‘risk-score’ authentication attempts.
There is a common misconception that PSD2 mandates the need for instant payments and as much as this will benefit consumers, it is not the case. The instant payments initiative is driven by a separate but related initiative – SCTinst (SEPA Instant Credit
Transfer) which goes live in November 2017. Countries like the Sweden, Denmark and UK already have such schemes (e.g.: Faster Payments - UK) but soon SCTinst will roll out instant payments across a whole region, making instant European cross-border payments
a reality. The processing of SEPA instant payments will be at a transaction level and they will be cleared in real-time. Instant payments require instant fraud decisions and here again, like the PSD2 TPP requests, traditional rules-based fraud solutions
may not cope with the huge volume and high velocity of incoming requests.
The payments world is at a crossroad where many technologies, regulations and market drivers interact. It’s obvious that the future is being shaped to offer a wider range of easy-to-use, mobile and flexible payment solutions, designed with consumer-centricity
in mind and challenging the rigid framework of traditional banking. Whilst this happens, all payment actors need to be wary of fraud risks. Fraudsters are constantly evolving and may use this transitional state-of-play to their advantage by exploiting potential
gaps in the payments process. Financial organisations therefore need to invest in or upgrade to a holistic fraud platform that uses a range of advanced techniques to mitigate against the early signs of fraud and derive actionable intelligence from data.
In other words, they need to adopt a proactive strategy and reduce their fraud permeability through a hybrid ecosystem using discovery analytics, security-in-layers and adaptive authentication.