The European Union’s revised Payment Services Directive (PSD2) has paved the way for a new era of Open Banking globally. As a result, it will have huge impacts on business models, security mechanisms and innovation in banking.
In my recent conversations with banks, a question that has arisen consistently is how security and innovation can go hand-in-hand. With PSD2, the number of third-party payments providers (TPPs) connecting to banks’ systems will increase, boosting the risks
of unauthorized access to customer data or even fraudulent initiation of payments.
So banks need to increase security, but at the same time grant access to all registered TPP – while also striking a balance between strong customer authentication and a frictionless user experience. What’s more, both fraud prevention and innovative authentication
– if done well – can be market differentiators.
Higher security standards become more vital…
Against this background, banks need to revisit several aspects of their security. Likely steps include moving to a more standardized security architecture, establishing a security gateway for pre-validation of API calls, and taking the European General Data
Protection Regulation (GDPR) into account when implementing APIs.
However, one of the most important measures is adjusting the fraud detection systems – by implementing advanced payments analytics for real-time fraud prevention for online payments initiated via PSD2 APIs. Let me explain why.
The European standards organization ETSI – with the support of Open Banking Europe PRETA (OBE) – is currently defining the standards for an eIDAS-based certificate approach for QTSPs, reflecting the PSD2 and RTS on SCA security requirements. Banks will need
to be able to manage TPP certificates, and use them to identify the PSD2 TPP role (AISP, PISP, CBPSP) as part of overall fraud detection.
To keep track of all registered TPPs in the EU in near-real time, banks need to get full transparency of registered and licensed TPPs in the EU Member States – and receive the latest updates on the status. In this context, there are currently two initiatives
that could be leveraged for fraud prevention: the EBA Register, which would be a database containing PISPs and AISPs across the EU, but no banks and not all TPPs; and a central repository for TPPs that the OBE is developing to close the gaps in the EBA Register.
One of the challenges is that EBA Register won’t offer APIs or any other machine-readable data. An intelligent combination of EBA Register, PRETA Directory and data from NCAs need to be built to keep track on TPP status.
To ensure their security systems have up-to-date information, banks need to get an overall consolidated overview of TPPs. Also, banks have to grant access to any legally registered TPP unless there is an objective reason to block them – and to detect these
cases they must be able to identify fraud through misused TPPs. This requires vigilant payment analytics systems that can identify fraud in real-time using techniques such as pattern recognition, anomalous payment behavior detection by utilizing additional
risk related data (such as device information, GPS data, merchant information etc.) on top of the risk-based factors specified in Article 2 of the latest RTS (transaction monitoring).
…and a new opportunity for biometrics innovation evolve
A further consideration is that the higher security requirements defined in the PSD2 RTS on SCA could lead to friction in the customer experience of payments. Since PSD2 increases competition in payments, banks could turn innovative security into a market
differentiator. The RTS on SCA allows "inherence" as one of the three elements, paving the way for innovation in biometrics.
A robust biometrics authentication method should combine basic biometrics elements such as fingerprint, face, voice or iris with behavioral biometrics such as key stroke patterns, gyroscope or accelerometer. However, beyond this core requirement, there’s
a lot of misunderstanding about what biometrics should look like in the PSD2 world.
In my view, there are four key principles that banks should apply in building PSD2 RTS-complaint biometric security methods:
- Biometrics should be designed in such a way that the underlying biometric data
can't be replicated and reused.
- Biometrics data validation should be performed at the bank, not on the device.
- The bank should not store the biometrics data at bank side, but have profile models
(trained with deep learning) for "matching" the collected data at the device.
- The method must be usable by TPPs as well via a dedicated bank interface (omni-channel approach).
PSD2 offers great scope for innovation in security. And some of the best opportunities are around biometrics – where banks can choose from many PSD2-compliant methods to help safeguard customer data and funds more effectively against fraud.