Blog article
See all stories »

PSD2 and two-factor authentication: a double security challenge for banks

September 14, 2019 is rapidly approaching, and with it the full mandate of PSD2: open banking will continue to make inroads into the financial fabric of society. While the full realisation of this concept provides opportunity to innovators, it also represents a unique privacy challenge.

An Opportunity for Innovation

Opening up a stolid market by allowing consumers to migrate their accounts and financial information between institutions provides a unique opportunity for new ideas and solutions to thrive. Organisations which have invested well in new platforms and have been quick to adapt to technological change can capitalise on an unusual combination of new solutions provided by a trusted institution. No longer are banks restricted to simple accounting; now they can more actively manage the full spectrum of wealth for their constituents. But with that opportunity comes an inherent challenge — how can financial organisations capitalise on this moment without presenting unnecessary risk to their clients?

A Challenge for Consumer Privacy

Historically, financial institutions have long had stringent requirements for the protections of customer data. (Unlike the recent raft of social media companies which have come under public scrutiny, their business model does not rely on selling customer data.) With the advent of PSD2 and open banking, however, these long-held views require more consideration.

At its core, open banking seeks to provide freedom for customers to migrate between financial offerings. In the past, they might have felt locked-in to a particular institution, forced through historical inertia to remain with their bank or investment firm due to the high cost of switching. Through mandates that affect implementation details such as APIs, strong authentication of the consumer, and overall security, consumers are empowered to choose the best offering for them rather than merely maintaining the status quo.

The implications of these changes should give pause to organisations who understand them. They signify a potential increase in both the quantity and quality of personal data that must be stewarded. Institutions that play a role in any significant transactions must now be able to verify individuals through biometric markers and other sensitive data. This level of information requires significantly more protection than mere personally identifiable information: it lies at the core of consumers’ identity.  

Despite this increased responsibility, these changes are welcome because they enable consumer ownership of finance through choice and consent. But choice and consent are not as easy to come by as they might seem. Ironically, even while strong authentication protects the consumer, it also necessitates the collection of ever-more-sensitive data), and the privacy challenges mount.

Granting the ability to protect personal data, financial information, and biometric markers are only as effective as the level of understanding of the consumer, as depicted by the recent narrative surrounding FaceApp. Users happily traded rights to their own portraits in exchange for a vision of what their visage might look like in the future. A quick glance at the actual privacy terms reveals that they were likely uneducated as to what exchange they were actually making. Users were granting FaceApp

“ . . . a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you . . .”

 . . . a remarkable exchange for a whimsical glimpse of a possible visage to come.

This incident highlights the privacy challenge behind open banking and a well-rounded implementation of PSD2: not merely protecting users’ data — which is increased through the need for strong authentication ­­— but also ensuring that end users comprehend the implications of their choices. So the privacy challenge that lies ahead is twofold: it is both technological, requiring responsible protection of sensitive data, and sociological, learning lessons about education and consent from other initiatives such as the GDPR in order to clearly empower consumers to make good choices.

As open banking becomes normative with regulations such as PSD2 coming into full effect, organisations will do well to embrace the opportunity to expand their market reach while still proving themselves worthy of consumer trust by thoughtfully providing protections for the end consumer — in ways that are easily understood and that promote good choices.



Comments: (1)

Ambrish Parmar
Blog group founder
Ambrish Parmar - Thought leader and Start-up Advisor - London 28 July, 2019, 11:17Be the first to give this comment the thumbs up 0 likes

Hi Mike.

Thank you for posting. The tension between openess, immediacy of product and service offering and security will persist and will need to evolve constantly. Please continue your contributions. Ambrish - group founder


Mike Kiser

Mike Kiser

Senior Identity Strategist


Member since

25 Jan 2019


Austin, Texas

Blog posts




This post is from a series of posts in the group:

Banking Strategy, Digital and Transformation

Latest thinking in respect to Banking Strategy, Digital and Transformation. Harnessing our collective wisdom to make banking better. Ambrish Parmar

See all

Now hiring