With more and more transactions moving to connected devices, customer behavior has fundamentally changed. There is an expectation of real-time, customized and streamlined experiences across locations, devices, channels and properties. The growth of online transactions has democratized commerce, giving rise to competition from established and emerging players looking to deliver new solutions, either directly or through partnerships.
New technologies — like Blockchain, mobile authentication and the ‘Internet of Things’ (IoT)— are creating new ways to pay, with a digitized end-to-end value chain. The growth of digital banking and FinTech providers has also brought additional scrutiny from regulators who are aiming to increase competition and encourage innovation whilst maintaining or enhancing security.
Amid the rapidly evolving digital commerce space, many financial institutions still have legacy infrastructure, despite the massive investments in digital transformation. Such infrastructures can expose banks to increased risk from hacks and vulnerabilities which has further increased regulatory fines and scrutiny.
The revised payment service directive (PSD2) requires financial institutions to make changes to their platforms and systems, (and sometimes build a new digital channel from the start) while making strategic decisions on how they want to play going forward. These changes will require significant investment as well as a strategic shift, as banks are forced to consider how they can safely open up their banking platforms to external third parties. While this may negatively impact revenue of the large banks, it also has the opportunity to level the playing field for smaller FinTechs and new product innovations.
The regulatory technical standards (RTS) for PSD2 are in final development, following a wealth of feedback and comments from the industry on the draft version. These specifications will have major implications for businesses in the EU and across the globe (Regulatory Technical Standards on strong customer authentication and secure communication under PSD2).
|Digital Consumers||New Competitors||New Regulations||New Technology|
- Consumers expect consistent, frictionless experience across channels, locations, payment methods
- Personalized payment experience, based on preference
- Traditional financial institutions are building/buying or partnering to increase their digital footprint
- Growth of Fintech
- Revised Payment Services Directive (PSD2)
- Interchange regulation, SEPA, eIDAS, eMoney and European Instant Payments initiatives
- Growth of mobile as well as big data-driven technology
- Evolution of space driven by Blockchain and loT
- Drive to open banking through API-based infrastructure
Introduction to PSD2, EU’s Revised Payment Directive
PSD2, the revised Payment Services Directive legislation, builds on the original PSD to provide the trust and openness necessary to restructure the payments landscape, in a truly agile way. PSD2 is part of a long-term ambition of the regulator to drive competition, innovation and transparency across the European payments market, while enhancing the security of digital payments and account access.
PSD2 will further accelerate the speed of disruption by mandating that banks open their payment account data to third parties through APIs and that they perform Strong Consumer Authentication (SCA) for account access and payment authorization. This will enable new forms of payment providers as well as creating new transaction opportunities. The core impetus of this directive is the requirement for financial institutions to grant third-party providers (TPP) secure access via APIs to a customer’s account information and initiate online payments for that customer, on condition that the customer provides consent. Also, TPPs have to be licensed payment institutions under the PSD2 to be allowed to offer payment services.
Key features of the directive include:
- Openness: PSD2 access to accounts (XS2A) mandates banks to enable customers to connect third-party services to their accounts.
- Transparency: PSD2 mandates that customers are notified of transaction details and payment charges, before they consent to a transaction.
- Trust: Any changes to the amount or details of a transaction requires new notification and consent. PSD2 dynamic linking mandates that the authentication must be uniquely linked to a particular transaction. If he amount changes, authentication has to be re-applied.
- Security: PSD2 defines strong authentication and requires it for payment transactions and account access.
- Privacy: PSD2 specifically addresses the protection of personalized security credentials.
- Consumer protection: Consumer liability for non-authorized transactions is limited to EUR 50 unless gross negligence or fraud can be proven by the bank.
How will this effect the market?
PSD2 will enable new payment services provided by Payment Initiation Service Providers (PISP) and Account Access Providers (AISPs).
- Third-party payment initiation: These providers would be able to initiate a payment to a merchant or other recipient directly from the payer’s bank account. The payer would be required to provide their consent. Many existing and new providers will look to deliver this capability.
- Account information service providers: These would be able to access a customer’s account details and transaction history. This will empower end users to make (or be advised to make) financial decisions based on aggregated information services and subsequently better manage their finances online.
Financial institutions face an interesting juncture: do they choose to simply comply with the directive by providing open API access for payment services or do they use this opportunity to innovate products and services, grow the customer base and build an ecosystem of key partners. At the same time, it is clear that the SCA requirements will make these institutions re-look at their interactions with the account holders/customers.
Potential Impact on Innovation
Digital transactions have had a huge impact on the evolution of the FinTech industry as niche products and services have emerged to fill the crevasses left by larger financial institutions. These include, for example, services for the unbanked and underbanked, instant insurance, crowdfunded loans and global online remittance. FinTech operations have been able to rapidly innovate for a number of reasons: a lack of legacy back-end systems, lower regulations and less online scrutiny for example. On the other hand, large financial institutions have unwittingly become the enablers with minimal benefit. However, these changing banking regulations are set to create more opportunities as both financial institutions and new providers compete to drive smarter revenue from payments.
The past decade has marked an exponential growth in the use of APIs as the key enabler for business services and digital products. Open architecture of these APIs will provide financial institutions and other emerging providers the opportunity to innovate rapidly, drive disruption and create new revenue streams.
However, with the PSD2 directive not yet finalized (and the RTS still under development), questions remain open. ThreatMetrix has talked to many executives across leading European and global financial institutions, payment service providers, worldwide retailers, payment networks as well as FinTech operations: a common theme emerges. Businesses are preparing to implement changes, yet are still very much in a ‘watch and wait’ mode. There is no doubt that the new regulations will be a driving force behind new platforms and ecosystems that lead to new business models. It will be critical for established providers to decide how to take advantage of the opportunity and not be left behind.
Some Key Opportunities
- New FinTech Providers: They see the opportunity to partner with banks to create exciting customer experiences and provide increased transparency on performance and cost structures.
- Consolidated Super Banks: Customers could make payments and access basic banking services through a third-party portal, with minimal engagement with the underlying institutions. These portals could then also evolve into aggregators of multiple institutions and hence the banks can further lose engagement with consumers on multiple products. Apart from posing a risk, this can also be an opportunities for banks to open up non-payment data such as loans, savings and mortgages.
- Account Service Providers: Emergence of new providers that create new and innovative identity management solutions based on account, transaction and historical data from customers’ multiple financial institutions. The evolution here may replicate the transformation that happened in the UK around utility services and insurance products. The emergence of aggregator services transformed the insurance market, allowing consumers to compare policies like-for-like, with price becoming the key purchase driver. It is likely that with the advent of PSD2, pricing may also become the biggest driver of a consumers’ choice of financial products and services.
- Risk Decisioning: Emergence of new risk-based solution providers that deliver solutions to enable financial institutions to make better risk decision with minimal friction to the end customer.
- New Authentication Methods: The new SCA requirements will require more authentication touch points that increase the friction if not done correctly. Given this, banks, TPP, PISP and other entities will innovate on customer experience as well as new providers will emerge that minimize friction.
- Payment Aggregators: As new payment models emerge, there will be opportunities for existing and new players to extend their capabilities.
- New Payment Models: Many merchants are looking for options to move beyond purely card payments.
- Merchant Backed PISPs: Larger merchants may extend into the payment value chain by created new PISPs to deliver optimal customer experience at lower price/risk.
The emergence of aggregator services transformed the insurance market, allowing consumers to compare policies like- for-like, with price becoming the key purchase driver.
As businesses worldwide look to better understand the implications of these directives, there is hope that the final guidelines will take into account the investments many have made into their payment flow and customer experience.
ThreatMetrix research has revealed the following key opinions on the upcoming PSD2 requirements:
- Financial Institutions: As all EU countries and payments institutions need to be compliant with PSD2 by January 2018, it is clear that many will use the UK Open Banking working group’s standard as the guideline. These seek to address technical design and infrastructure issues as well as customer specific issues like consent and access rights delegation, among others. Many financial institutions haven’t started looking at this and are waiting for the revised guidelines before implementing a solution. Others have started getting a head start to let the TPPSs test their services out. The banks’ relationships with their customers are at risk, as customers could make payments and access basic banking services through a third-party portal with minimal engagement with the underlying institutions. These portals could then also evolve into aggregators of multiple institutions and hence the banks can further lose interactions with the end customer. European regulators are increasingly becoming involved in bank switching processes. Some regulators have prescribed that an account must be switched within 10 days of an application including migrating all salaries and regular payments. PSD2 will empower aggregators to advise end users on the best products for them, with price likely playing a key role in customer decisions.
- Networks: There is a notion of a simplified value chain in which the networks can be disintermediated. In such a scenario, the payment is initiated by the PISP from the customer’s bank account. While the fees would be displaced, there are many open questions about the operating rules/regulations, settlement, liability, and pricing to name a few.
- The current payment infrastructure, built around the payment schemes, has many carefully crafted rules and operating regulations that govern the payment flow and experience. Any new payment scheme will need to invest considerable time in building an acceptance ecosystem and creating mutually agreed upon rules of engagements.
- Many of the risks identified by the EBA can be prevented by the use of risk-based authentication. This will preserve the balance between security and convenience.
- Retailers: For retailers that have invested heavily in back-end processes to deliver one-click payments, it is critical that the revised directives have the provision for risk-based payments so that they can maintain customer experience while securing transactions. While they understand that authentication during the enrollment/signup process may be acceptable, they must find a way to make recurring payments frictionless. The notion of new payment flows promises lower price, instant settlement and new payment methods but it is currently hard to define the impact on customer enrollment. Customer behavior is notoriously hard to change. New payment methods will only be embraced if they are really better than the existing card models i.e. more convenient and providing financial incentives.
As all EU countries and payments institutions need to be compliant with PSD2 by January 2018, it is clear that many will use the UK Open Banking working group’s standard as the guideline.
ThreatMetrix Solution for Financial Institutions
The key to navigating an uncertain future
As banks look to better understand the impact of PSD2, understanding the true digital identity of the transacting consumer will be imperative. ThreatMetrix works with leading retailers, financial institutions and global networks to remove friction from online payments while maintaining security. With new entrants now becoming part of the transaction flow, context is going to be more important than ever.
Competition and Innovation: Opening up of bank account information to third-party providers (for account information and payment initiation services):
- The ThreatMetrix solution for Open Banking enables financial institutions to create APIs for PISPs and AISPs while maintaining their existing authentication and customer validation processes. This will enable them to support innovation from internal initiatives and through external partners while prioritizing customer experience and lifetime value. This will be supported by dynamic global shared intelligence from the world’s largest Digital Identity Network. The ThreatMetrix solution can enable banks to:
- Meet PSD2 and open banking requirements
- Deliver innovative financial solutions
- Securely partner with new and emerging providers
- ThreatMetrix will deliver new APIs to match PSD2 user journeys: Register/De-register Device, Authentication Preferences, User Consent Request and authorization parameters E.g. threshold amount for payment initiation, max number of payments per day and so on
Customer Protection: Financial institutions are still waiting to understand how the revised directive will impact authentication. While strong (multi-factor) customer authentication will likely be required for some transactions, there is also a strong indication that the revised guidelines will allow risk-based authentication for most payment scenarios. ThreatMetrix can support both eventualities:
- Strong Customer Authentication (SCA): ThreatMetrix is extending its core technology platform to provide a Strong Authentication Framework wherein the customer’s mobile device becomes the authenticator and the ThreatMetrix SDK becomes the enabler. This will support:
- Strong DeviceID through a crypto-based PKI certificate: A cryptographic way to assert that the device in question is the same device that was originally registered.
- Push Notification: A cryptographically backed step-up to a mobile device that allows a yes/no answer. This is similar to a two-way SMS challenge flow but leveraging IOS and Android secure notification services (e.g. APN), with messages that are customizable based on use case and the customer’s preference.
- Extended Biometric Step-Up: A cryptographically backed step up to a mobile device that requires use of on-device user authenticator (fingerprint, facial recognition, voice, PIN, etc.). The key difference with this flow is that it requires a user enrollment of a biometric or PIN. This has associated complexities with administration of processes like revocation/lost devices etc. as well as complexities around managing and maintaining fragmented handset/OS implementations of biometrics.
In all cases, the purpose of the ThreatMetrix solution is to achieve a minimally-invasive, strong authentication solution that is almost entirely turn key for our customers.
Risk-Based Authentication: If the revised guidelines allow an exemption based on risk analysis for all payments (perhaps to a certain maximum amount), merchants and payment service providers can adopt alternative risk-based authentication to preserve a frictionless online experience and avoid disruption and inconvenience to all parties. The ThreatMetrix Dynamic Decision Platform enables businesses across the globe to achieve a balance between security and convenience across customer touch points. Apart from operationalizing dynamic crowdsourced intelligence from the ThreatMetrix Digital Identity Network, businesses can use the decision platform to apply risk detection to new API and consumer consent flows.
While the final directives will set in motion changes that will transform the global payment and commerce landscape, many questions still exist. The decisions around liabilities, pricing and authentication will have a long-term impact on how financial institutions and new providers will navigate the evolving ecosystem.
One thing is clear; the role of regulators in the payments and commerce space will continue to become more significant as they look to navigate the sometimes turbulent waters between security and customer experience, innovation and healthy competition.
About ThreatMetrix Digital Identity Network
The best way to tackle complex, global cybercrime is using the power of a global shared network. The ThreatMetrix Digital Identity Network collects and processes global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix creates a unique digital identity for each user by analyzing the myriad connections between devices, locations and anonymized personal information. Behavior that deviates from this trusted digital identity can be accurately identified in real time, alerting businesses to potential fraud. Suspicious behavior can be detected and flagged for manual review or rejection before a transaction is processed.
The Network comprises two key components: Digital Identity Intelligence and a Dynamic Decision Platform.
- The Power of Digital Identity Intelligence: Harnessing Dynamic, Crowdsourced Intelligence ThreatMetrix is unique in its ability to dynamically combine the four key pillars that define digital identity across all device platforms. These can be summarized as:
- Device: Device identification, device health and application integrity.
- Location: Detection of location cloaking or spoofing, (proxies, VPNs and the TOR browser).
- Identity: Incorporating anonymized, non-regulated personal information such as user name, email address and more. Defining a pattern of trusted user behavior by combining identity and transactional metadata with device identifiers, connection and location characteristics.
- Threat: Harnessing point-in-time detection of malware, Remote Access Trojans (RATs), automated bot attacks, session hijacking and phished accounts, then combining with global threat information such as known fraudsters and botnet participation.
- Operationalizing Digital Identity Intelligence Using a Dynamic Decision Platform The ThreatMetrix Dynamic Decision Platform enables businesses to leverage shared intelligence from The Network to make real-time digital decisions. This is facilitated via the following key functions:
- Integration and Orchestration: Uniting ThreatMetrix intelligence with back-end services and prepackaged/customized third-party services.
- Real-Time Analytics: Leveraging business rules, behavior analytics and machine learning capabilities to identify complex fraud patterns with high accuracy.
- Decision Management: Enabling continuous optimization of authentication and fraud decisions with visualization, data correlation and exception handling.