PSD2: As Deadline Looms, Focus Shifts to Consumers

Posted September 7, 2017

PSD2: As Deadline Looms, Focus Shifts to Consumers

Much has been made about the affect the upcoming PSD2 regulations will have on businesses in the European financial services industry. But, sometimes lost in all of the discussion is just how this modernization will ultimately affect consumers.

PSD2, of course, is a set of regulatory mandates that will transform the way European banks, credit unions and retailers do business. For the first time ever, banks will be required to modernize their systems, open up their payment account data to third parties—FinTechs, retailers and other companies—and authenticate all account access and payment authorizations.

The end result will be a whole new era of innovative services designed to empower consumers. For instance, new services from banks and FinTechs might soon link all of your bank, credit card and investment accounts into a single interface to give you full visibility and control over your finances.

Some businesses might send you the best possible rate on a car loan, or alert you when you’re spending too much. Others might remind you to put money toward that big vacation you’ve got planned.

However, the availability of new innovative services isn’t what’s top of mind for many consumers.

With the most sweeping changes to banking ever implemented just months away, 89 percent of consumers in the EU say they have “no idea what’s going to happen” when PSD2 goes into effect. And 66 percent fear all this data sharing with third parties could quickly compromise security.

Risky Business

While these fears are understandable, in truth, PSD2 is designed to ensure that data is better protected than ever before.

Beyond a few exemptions, PSD2 stipulates consumers must now give consent for services to be granted access to their payment data. And they must manually authorize most transactions over €50, or more than €100 over 5 consecutive payments, through strong customer authentication (SCA).

At a minimum, the directive’s Regulatory Technical Specifications requires two-factor authentication (2FA) that includes a one-time, short-term code or biometric confirmation, so long as certain device-level requirements are met. Less risky transactions can be handled using risk-based authentication (RBA).

While getting customer approval through such mechanisms as biometrics is a step forward, the difficulty for organizations is knowing whether the customer triggering authentication is really who they claim to be? What happens if you’re simply authenticating a fraudster who has set up an account using a stolen or synthetic ID?

Double Trouble

This is far more than an academic question. Europe continues to grapple with its role as the global hotbed for cybercrime growth. From April through June, Europe suffered 70 percent more attacks than all of North America, according to the Q2 Cybercrime Report.

Transactions facilitated through mobile are up 40 percent year over year, and nearly 20 percent in just one quarter. Indeed, consumers are increasingly using their mobile devices to set up new accounts and manage their financial lives.

All of which creates favorable conditions for rolling out PSD2. But it also makes an especially inviting climate for fraudsters.

New account creation fraud is up nearly 30 percent in just 90 days. In fact, nearly 10 percent of all new account creations are now fraudulent, driven by the increased availability and low cost of stolen identities set loose by corporate data breaches.

Fraudsters buy and trade this stolen identity data to create near-perfect identities with which to take over existing accounts or create fraudulent new ones to take out loans, drain bank accounts, or go on shopping sprees. FinTech providers in particular are prone to attack, as fraudsters target vulnerabilities in their emerging platforms or business models.

While 2FA certainly adds a layer of security, cybercriminals have ways to bypass it and login before the victim does, or hijack active sessions remotely. Even advanced biometrics aren’t immune from these tactics, or from weak encryption and certain kinds of malware. With transaction data flowing more openly between more parties, things could in fact get very ugly, very fast.

To help mitigate the threat, PSD2 stipulates that systems must be in place to monitor users’ previous spending patterns, transaction histories and locations to identify any anomalies in payment requests that may signal fraud.

But it’s going to take a whole lot more than that.

Trust or Bust

As of late August, the final RTS on SCA and RBA is running into roadblocks that may push out its compliance deadline.

But, given the general direction of the standards and today’s rampant fraud levels, a growing number of financial institutions are gravitating toward digital identity-based authentication systems that can ensure invulnerable fraud protection, in either modality, in the here and now.

Instead of verifying identity based solely on login credentials or biometric signatures that can be hijacked, stolen or falsified, these systems analyze hundreds of dynamic data elements that are impervious to fraud.

They then compare this data to anonymous global threat intelligence to assess the ever-changing associations between users and their devices, locations, accounts, behavior, and the presence of any device-level threats and assess risk in real time.

Legitimate users are recognized instantly, while cybercriminals are blocked from ever setting up fraudulent new accounts, or from logging into existing ones—even if they’re using legitimate identity credentials.

One major international bank that has deployed such systems reports it has dramatically cut losses from fraud even while reducing user friction.

The Pressure’s On

To comply with the PSD2 mandates, and to put to rest consumer fears about data security, financial industry players in the EU need to adopt a holistic approach that utilizes end-to-end RBA and SCA for a complete PSD2 solution. For more guidance, check out this exclusive white paper on implementing the directive’s provisions for strong customer authentication.

With the January 13, 2018 adoption date fast approaching, the time to act is now.

Register now for the upcoming webinar, ‘The Long-Term Impact of PSD2 & How to Select a Strategic Partner’ on Thursday, September 21 at noon Pacific Time.

ThreatMetrix Team

ThreatMetrix Team

close btn