November 14, 2017
PSD2 and The Open Banking Revolution: An Age of Innovation
Posted February 28, 2017
Part Two of a Three Part Series
It was Bill Gates who once famously declared, “Banking is essential. Banks are not.”
While his words may ring more true now than they did in 1994 when he uttered them, we’re far from a world without banks.
Quite the reverse, actually. Because while banks are going through immense changes, banks will prove central to the success of PSD2 and other regulatory mandates designed to empower consumers and unleash innovation throughout the financial services industry.
Far more urgent matters: What kind of innovation are we talking about? And how will fraud prevention be factored in to keep consumers and businesses safe?
Fuel for the Fire
Without a doubt, digital transactions have had a huge impact on the evolution of the emerging FinTech industry, as niche offerings have emerged to fill in gaps left by larger financial institutions.
Services for the non- and the under-banked, on-demand insurance policies, crowdfunded loans and global online remittance, come immediately to mind.
FinTech players have been able to rapidly innovate these kinds of offerings for a number of important reasons—most notably a lack of legacy backend systems to contend with, fewer regulations and a lot less scrutiny.
Meanwhile, whether through inertia, disinterest or concerns over the investments required to enter unproven markets, many large financial institutions have tended to stick with the tried, true and profitable.
Open standards such as the EU’s revised payment service directive, the aforementioned PSD2, scramble this picture significantly.
As discussed in Part One of this series, banks must now begin modernizing their systems to prevent the harrowing level of breaches and fraud we’ve all witnessed in recent years.
For the first time ever, they must also open up those systems and securely share their own customer payment account data with third parties through standardized, open APIs.
Understandably, some see all this as a threat—banks will now be forced to compete for a sizable chunk of their current retail banking revenues, for instance.
But many financial institutions are awakening to the fact that these regulations also create new opportunities for all players, including themselves, to innovate faster, thrive on disruption and create all-new revenue streams.
Embracing the Future
While the PSD2 directive has just been finalized, many businesses are in “watch and wait” mode. Others are already going full throttle.
Barclays, Lloyds, Santander, HSBC, Royal Bank of Scotland and other banks have all put up money to fund The Open Up Challenge, a new contest designed to encourage FinTechs to use open banking APIs to develop new apps for small businesses. They’re even pooling anonymized banking transaction data sets to test ideas using real data.
“Open banking is potentially revolutionary for how banking looks and feels and works, Chris Gorst of Nesta, the organization behind the challenge, tells Wired.
Meanwhile, Ulster Bank is actively working with Microsoft, HP, Nile and others to combine banking and non-banking APIs to explore new possibilities.
Indeed, in speaking with executives across leading European and global financial institutions, retailers, payment providers, FinTechs and others, we see the opportunity for some astonishing developments spanning new and incumbent stakeholders, including:
- New FinTech providers: Partnering with banks, emerging providers such as Wealthify, Momento, and others can help develop exciting new customer experiences and provide transparency on performance and cost structures
- Consolidated ‘super banks’: Just as aggregators have transformed other industries, look for third party portals to enable customers to view all of their accounts at once and make payments with little interaction between the underlying financial institutions
- Account Service Providers (AISP): Soon, consumers will be able to shop for the best loans, savings accounts, and mortgages, generating quotes leveraging real-time data on their financials status using solutions from provider Wealth Wizards and others
- Risk Decisioning: The emergence of new risk-based solution providers will leverage real-time transaction data to enable financial institutions to make better risk decisions with minimal friction to the end user
- New Authentication Methods: These directives require more authentication touch points, which could likely increase user friction if not done correctly; watch for new providers to emerge to neutralize that friction, even while increasing security
- New payment models: No card, no problem—new technologies from the likes of GAFA (Google, Apple, Facebook and Amazon), PayPal and others (including VISA) will help merchants of all kinds move beyond purely card- and cash-based payments
These are just among the lowest-hanging fruit. And yet, you can see how security factors prominently. Make no mistake: There are some very good reasons for that.
While final guidelines for PSD2 and other mandates play out, at ThreatMetrix we recommend the following considerations are taken into account when assessing the security requirements throughout any emerging payment ecosystem:
- Financial institutions: As portals, and eventually aggregators, begin sharing financial services offerings from multiple institutions with consumers, their entire value proposition will be predicated on seamless bank- and service-switching processes. Cybercriminals gaining access to existing accounts or creating fraudulent new ones could wreak havoc in such an on-demand environment if proper authentication is not baked into the DNA of every protocol.
- Networks: Any new payments schemes governing payment initiation service providers (or PISPs) will need to be carefully crafted. Existing payment infrastructures are based on years of heavy investment, with specific operating regulations, settlement protocols, liability measures and pricing structures mutually agreed upon by innumerable parties. Many of the risks associated with a wholesale migration to a new schema can be mitigated by the use of risk-based authentication that preserves the balance between security and convenience.
- Retailers: With all the investment retailers have made in backend processes for one-click payments, it is critical that final directives include provisions for risk-based payments, so retailers can maintain friction-free customer experiences while securing all one-off and recurring transactions.
As for new, non-card based payment methods: They will only be embraced by consumers and businesses if they are easier to use and offer more convenience than existing models—with just as much, if not heightened, security.
Point of No Return
As EU countries and payments institutions race to reach compliance with PSD2 by January 2018, there is little doubt these and other directives will collectively act as a driving force behind transformative new platforms, ecosystems and business models.
It will be critical for established financial institutions and indeed all players both large and small to decide how to take advantage of the opportunities—or risk being left behind.
But to be successful, the components required to secure this bold new world of financial services must be firmly in place. And that’s our focus for the upcoming conclusion of this three-part series.
For an exclusive white paper on the open banking mandates and solutions for navigating the fraud prevention measures needed to secure it, click here.