PSD2 and the Open Banking Revolution: Fraud Prevention in the Bold New World of Financial Services
Posted February 21, 2017
Part One of a Three Part Series
It’s no secret that the open banking revolution is gearing up to fundamentally transform the financial services industry and unleash an amazing new era of innovation.
But for all its promise, success will ultimately be predicated upon one critical element: Fraud prevention.
Race to Tomorrow
Over the last decade, a growing number of transactions have moved to an ever-expanding array of connected digital devices, channels, networks and platforms.
Consumers who once looked askance at ATM machines now routinely and cavalierly check balances, transfer funds, and place purchases for everything from their morning lattes, to airline tickets, to real estate and more—on-demand and on the fly.
Along the way, expectations for personalized, real-time experiences have done more than just fuel the launch of all new payment services. They’ve given rise to a nascent FinTech sector and breakthrough technologies—from blockchain, to mobile authentication, to the Internet of Things (IoT) and more.
Yet amid these seismic changes, many established institutions continue to rely on legacy systems, despite massive investments in digitization. As a result, they can leave themselves and their customers open to devastating hacks and vulnerabilities. Just ask Tesco Bank and the Central Bank of Bangladesh.
Beyond the damage done to customer trust, countless breaches and fraud have spurred increased regulatory scrutiny, costly fines, and the emergence of a whole new set of open banking protocols—including the UK’s Open Banking Standards and the EU’s revised Payment Service Directive (PSD2).
Eyes Wide Open
PSD2 establishes new requirements designed to boost security, encourage innovation, increase transparency, foster competition and empower banking customers like never before possible.
With PSD2, banks aren’t just required to modernize their systems. For the first time ever, they must open those systems up and securely share their customers’ payment account data with third parties through standardized, open APIs.
In the process, this shared data will forever change the way consumers and businesses save, borrow, lend and spend their money.
Where once inertia informed the old adage that you’d change your spouse before you change your bank, consumers will now be able to access all their accounts through a single interface, on any device. New applications and resources will offer up the best mortgages, insurance policies and other banking options based on a real-time picture of customers’ financial states. We’ll explore this element further in part two of this series.
Still, as the Financial Times reports, some fear open protocols may increase the chances customers’ financial data will be stolen by fraudsters and organized crime rings. After all, what could go wrong?
“Clients will be told, ‘Come to me, you can do more things for free,” one bank CEO tells the Times, citing concerns about sharing customer bank data with third party providers.
“Fraud is rising,” he explains. “And as this increases, the desire of people to give their banking password to just anybody will fall quite quickly.”
Perhaps. But while PSD2 will indeed accelerate the speed of disruption, it does so with security in mind.
Transparency Meets Security
New APIs that leverage shared data must perform Strong Consumer Authentication (SCA) for account access and payment authorization. For example:
- PSD2 requires banks to enable customers to actively connect third party services to their bank accounts
- Customers must be notified of transaction details and payment charges, and actively consent to them before they are initiated
- Any changes to the amount or details of a transaction requires new notification and consent
- Consumer liability for non-authorized transactions is limited EU 50, save for gross negligence or fraud can be proven by the bank
- Similar opt-in authority would be available for consumers to enable account information service providers to provide aggregated offerings that enable them to make informed financial decisions and better manage their finances online
Theoretically, these and other mandates will serve to obliterate after-the-fact fraud detection. But that’s only if authentication prevents fraudulent account takeovers and creation.
Today, those same data breaches at banks and so many other institutions have led to over 6 billion credentials and identities being stolen, sold, used and manipulated by fraudsters and organized crime syndicates to bypass the protections on which secure payment regimes must rely.
To meet the challenge, emerging authentication solutions based on “digital identity intelligence” use advanced analytics, and leverage anonymized, shared global data on all users, their devices, behaviors, transactions and associations to detect and prevent fraud in real-time.
Through such systems, friction can be reduced for legitimate users, even while fighting scourge of fraud.
New Day Dawning
The regulatory technical standards for the directive are still in final development, following a wealth of feedback from the industry—especially banks. For them, not only do open standards require increases in IT spending, but by some estimates, they stand to lose a sizable chunk of retail payment revenues.
Finding their hegemony endangered, banks will see all-new players, applications and ecosystems bloom and prosper.
But they’ll also have the tools needed to enhance their own offerings and roll out new ones, so they can survive and thrive in a shifting competitive landscape.
“This is the best thing to happen to banks since the Internet,” says Steve Kirsch, CEO of banking technology firm Token. According to Kirsch, “[Banks] are starting their efforts now and planning to leverage open banking rather than just treat PSD2 as a ‘compliance checkbox.’”
Indeed, by shaking up a once-staid industry, perhaps the Open Banking revolution will succeed in prompting institutions throughout the sector to re-examine, renew and enhance their relationships with customers in bold new ways.
Few would argue that’s a bad transaction at all.
For an exclusive white paper on the open banking mandates and solutions for navigating the fraud prevention measures needed to secure it, click here.