BankingOpen BankingPSD2 is helping banks adapt to a more secure, customer-centric environment

PSD2 is helping banks adapt to a more secure, customer-centric environment

The clock is ticking for banks to address the challenges posed by meeting all the requirements of PSD2. Emilie Casteran from Gemalto investigates what they need to do to comply with the regulation.

The final EU Regulatory Technical Standards (RTS) for the PSD2 Directive was published last month, aiming to protect consumers while encouraging innovation and competition in the financial sector. The standards will come into force from 14 September next year, although banks’ APIs could be audited by regulators six months earlier. This new payment legislation will not only impact the financial ecosystem, but it’ll also open new possibilities for both consumers and businesses.

Now the directive has been confirmed, the clock is ticking for banks to address the challenges posed by meeting all the requirements of PSD2. So, what do they need to do now to comply? In addition to opening the access to payment accounts upon user’s consent, financial institutions must implement several security measures to protect consumers.

“Unfortunately, there isn’t a ‘one size fits all’ approach, so the optimum strategy will be different for each bank.”

Unfortunately, there isn’t a ‘one size fits all’ approach, so the optimum strategy will be different for each bank. Companies need to shape solutions around their existing IT infrastructures and market requirements and should, in many cases, draw on products already proven to deliver the core principles of the RTS. Besides, to ensure their long-term success and offer smooth user experiences banks will also need to integrate new technology bricks as part of their PSD2 framework.

PSD2 marries security and convenience

The core principles of the RTS – Strong Customer Authentication (SCA), Secured Communication, Risk Management and Transaction Risk Analysis (TRA) – have been maintained, confirming the directive’s security objectives. To protect the consumer, PSD2 requires banks to implement multi-factor authentication for all proximity and remote transactions performed on any channel.

By supporting the use of biometric authentication via a mobile device – whether fingerprint or other methods such as facial recognition – banks can provide a solution that combines security with usability, creating a better user experience.

Together with SCA, PSD2 mandates the use of risk management to adapt security: to identify potential fraud and decide to trigger a security step up or not depending on the level of risk associated to the transaction. Therefore, banks would still be able to provide a seamless customer experience while at the same time being able to comply with the new requirements.

As it turns out, the RTS offers a way to reconcile security and smooth user experience. In fact, the final draft lists several cases in which SCA is not necessary, which they call the exemptions.

The reason for these exemptions is clear: consumers don’t like to be disrupted when they are banking or shopping online. If they are constantly pestered for PIN codes or one-time-passwords, they might just give up and stop what they are doing. And that’s bad for business. While European authorities want to protect consumers and banks from fraud, they also want to foster great payment and banking experiences, making sure merchants and banks don’t lose their customers.

Applying security measures for mobile banking solutions

Of course, one hugely important change of the customer experience in recent years is mobile solutions. Mobile devices are at the heart of financial institutions’ digital strategies – both as an increasingly used banking interface or as an authentication means to secure other communication channels.

With PSD2 fast approaching, banks and fintech providers should get ready by following some rules for mobile security compliance. The RTS accepts the use of mobile devices without requiring hardware companions, so long as its security principles are fulfilled.

The compliance of mobile authentication solutions will depend on how banks or software developers implement them, and the RTS are setting high expectations. Specialized mobile-security vendors can easily cope with these, but in-house developers could find them harder to meet.

Mobile devices will continue to be at the heart of banks’ digital transformation even after the September 2019 deadline, so what should they do if they offer mobile solutions for eBanking and authentication? They should ask themselves if they have taken all aspects of security into account, including those that are specific to mobile banking. They need to make sure that they tick all boxes from the following checklist:

  • Authentication data is stored and processed in specific secure environments, ensuring isolation from the standard mobile OS
  • Confidential data is not stored, or is encrypted
  • Accessing such data requires SCA
  • They have enforced measures against data duplication
  • Communication is encrypted
  • Servers communicating with mobile devices must be authenticated
  • Only the legitimate mobile device can receive or send authentication-related data.

Banks should review their mobile solutions now to make sure these considerations are taken into account.

A new world of opportunity

PSD2 is a customer-centric regulation that should lead to an improved customer environment, bringing benefits not only to end users but to all banking & payment parties. New partnerships and open-banking APIs with the right security level brought by SCA and risk monitoring can generate value by adding third-party capabilities to core offerings, capitalizing on consumer behavior and data, and making the multi-factor authentication process as easy as possible for the customer. Banks and fintech providers should not view PSD2 as a burden, but as an opportunity. Through investing and innovating now, they can not only prepare themselves for compliance, but steal a march on competitors by bringing innovative services to their customers first.

Emilie Casteran is head of banking and payments at Gemalto.

Related Articles

Deutsche Bank opens innovation hub in China

Banking Deutsche Bank opens innovation hub in China

4d Jay Ashar
Banking industry's approach to technology shifting

Automation Banking industry's approach to technology shifting

4w Jay Ashar
EBA responds to issues raised by EBA API Working Group

Banking EBA responds to issues raised by EBA API Working Group

1m Jay Ashar
Open Banking: Big tech, bank tech or fintech?

Open Banking Open Banking: Big tech, bank tech or fintech?

2m Austin Clark
Treasurers slow to adopt mobile solutions

Corporate to Bank Relationships Treasurers slow to adopt mobile solutions

2m Jay Ashar
Asian treasuries moving into the fintech era

FinTech Asian treasuries moving into the fintech era

4m Jay Ashar
Democratizing the world of treasury technology

10 Minutes With The Treasury Democratizing the world of treasury technology

4m Austin Clark
BofA Merrill Lynch to integrate CashPro with Apple Watch

Corporate to Bank Relationships BofA Merrill Lynch to integrate CashPro with Apple Watch

4m Jay Ashar

Whitepapers & Resources

Are You Ready to Implement your GRC Solution?

Are You Ready to Implement your GRC Solution?

5m
TIS Sanction Screening Survey Report

Payments TIS Sanction Screening Survey Report

2m
The Challenges of Regulatory Reporting

Brexit The Challenges of Regulatory Reporting

8m
Mitigating Costs and Exposure - A Multilateral Netting White Paper

Mitigating Costs and Exposure - A Multilateral Netting White Paper

7m