PSD2: A New Age of Open Banking, Innovation and Competition
PSD2 is part of a long-term regulatory vision to drive competition, innovation and transparency across the European payments market, while enhancing the security of digital payments and account access.
PSD2 mandates that banks open their payment account data to third parties through APIs, therefore enabling new payment services provided by Payment Initiation Service Providers (PISP) and Account Access Providers (AISPs), fundamentally restructuring the payments landscape.
The directive heralds a new authentication ecosystem, leaning heavily on SCA for many transactions, but also incorporating RBA depending on the transaction type and risk level.
A Straightforward Solution to A New Banking Landscape
Accurate authentication in the context of PSD2 relies on a holistic view of an end user’s digital identity, encompassing dynamic information from all digital interactions. The ThreatMetrix Digital Identity Network collects and processes global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications.
Using this information, ThreatMetrix creates a unique digital identity for each user by analyzing the myriad connections between devices, locations and anonymized personal information.
Digital Identity Intelligence empowers financial institutions to define patterns of trusted behavior that can be used to analyze the risk of future transactions.
The Dynamic Decision Platform enables businesses to leverage shared intelligence from The Network to make real-time digital decisions. This is facilitated via an integration Hub to invoke integrated and third party step-up services.
The breadth of the ThreatMetrix platform therefore provides the following complete solution for PSD2:
- Strong Customer Authentication (SCA): ThreatMetrix is extending its core technology platform to provide a Strong Authentication Framework wherein the customer’s mobile device becomes the authenticator and the ThreatMetrix SDK becomes the enabler. This will support:
- Strong DeviceID: through a crypto based PKI certificate: A cryptographic way to assert that the device in question is the same device that was originally registered.
- Push Notification: A cryptographically backed step-up to a mobile device that allows a yes/no answer. This is similar to a 2-way SMS challenge flow but leveraging IOS and Android secure notification services (e.g. APN), with messages that are customizable based on use case and the customer’s preference.
- Extended Biometric Step-Up: A cryptographically backed step up to a mobile device that requires use of on-device user authenticator (fingerprint, facial recognition, voice, PIN, etc.). The key difference with this flow is that it requires a user enrollment of a biometric or PIN. This has associated complexities with administration of processes like revocation/lost devices etc. as well as complexities around managing and maintaining fragmented handset/OS implementations of biometrics.
- Risk-Based Authentication (RBA): The allowance for RBA (or a combination of SCA and RBA) in the Regulatory Technical Standards (RTS) for certain transactions supports the industry’s long-term drive to preserve frictionless payment transactions.
- The European Banking Authority (EBA) has stated that previous spending patterns, transaction history/ location can be used to identify high-risk anomalies in the payment request. This aligns seamlessly with the way that ThreatMetrix evaluates the validity of a user’s digital identity by combining intelligence related to device, location, identity and threats.
- This enables companies to evaluate real-time risk factors in the context of past user behaviors to make accurate risk decisions, and for businesses to accept, reject or review (step-up) a transaction as necessary.
- The ThreatMetrix Dynamic Decision Platform enables global businesses achieve a balance between security and convenience across customer touch points. As well as operationalizing crowdsourced intelligence from the ThreatMetrix Digital Identity Network, businesses can use the decision platform to apply risk detection to new API and consumer consent flows.
ThreatMetrix Will Deliver New APIs to Match PSD2 User Journeys:
- Register/Deregister Device
- Authentication Preferences
- User Consent Request
- Authorization parameters, e.g. threshold amount for payment initiation, max number of payments per day etc.
The ThreatMetrix Advantage
The ThreatMetrix solution for PSD2 enables financial institutions to create APIs for PISPs and AISPs while maintaining their existing authentication and customer validation processes. This supports innovation from internal initiatives and through external partners while prioritizing customer experience and lifetime value.
This enables them to support innovation from internal initiatives and through external partners while prioritizing customer experience and lifetime value.
- Minimally-invasive, strong authentication solution that is almost entirely turn key for financial institutions.
- Simple deployment of Strong Customer Authentication (SCA): No additional integration effort.
- Policy-driven use of SCA:
- Automated remediation of risky transactions to reduce fraud, friction and operational costs.
- Includes checks for compromised authentication elements, transaction amounts, known fraud scenarios and behavioral anomalies, signs of malware infection, etc.
- Opportunity for evolution as regulation, attacks, and technologies change.
- Support for multiple SCA methods:
- Multiple SCA methods can be supported via the Dynamic Decision Platform, ThreatMetrix Mobile SDK and Carrier ID functionality.
- Ability to add Native OS support: Fingerprint, Message, PIN, Notification.
- Framework to allow the incorporation of other SCA methods over time.
- User/Device Lifecycle Management (Register/De-register Device).