The final EU Regulatory Technical Standards (RTS) for the PSD2 Directive was published last month, aiming to protect consumers while encouraging innovation and competition in the financial sector. The standards will come into force from 14 September next year, although banks’ APIs could be audited by regulators six months earlier. This new payment legislation will not only impact the financial ecosystem, but it’ll also open new possibilities for both consumers and businesses.
Now the directive has been confirmed, the clock is ticking for banks to address the challenges posed by meeting all the requirements of PSD2. So, what do they need to do now to comply? In addition to opening the access to payment accounts upon user’s consent, financial institutions must implement several security measures to protect consumers.
“Unfortunately, there isn’t a ‘one size fits all’ approach, so the optimum strategy will be different for each bank.”
Unfortunately, there isn’t a ‘one size fits all’ approach, so the optimum strategy will be different for each bank. Companies need to shape solutions around their existing IT infrastructures and market requirements and should, in many cases, draw on products already proven to deliver the core principles of the RTS. Besides, to ensure their long-term success and offer smooth user experiences banks will also need to integrate new technology bricks as part of their PSD2 framework.
PSD2 marries security and convenience
The core principles of the RTS – Strong Customer Authentication (SCA), Secured Communication, Risk Management and Transaction Risk Analysis (TRA) – have been maintained, confirming the directive’s security objectives. To protect the consumer, PSD2 requires banks to implement multi-factor authentication for all proximity and remote transactions performed on any channel.
By supporting the use of biometric authentication via a mobile device – whether fingerprint or other methods such as facial recognition – banks can provide a solution that combines security with usability, creating a better user experience.
Together with SCA, PSD2 mandates the use of risk management to adapt security: to identify potential fraud and decide to trigger a security step up or not depending on the level of risk associated to the transaction. Therefore, banks would still be able to provide a seamless customer experience while at the same time being able to comply with the new requirements.
As it turns out, the RTS offers a way to reconcile security and smooth user experience. In fact, the final draft lists several cases in which SCA is not necessary, which they call the exemptions.
The reason for these exemptions is clear: consumers don’t like to be disrupted when they are banking or shopping online. If they are constantly pestered for PIN codes or one-time-passwords, they might just give up and stop what they are doing. And that’s bad for business. While European authorities want to protect consumers and banks from fraud, they also want to foster great payment and banking experiences, making sure merchants and banks don’t lose their customers.
Applying security measures for mobile banking solutions
Of course, one hugely important change of the customer experience in recent years is mobile solutions. Mobile devices are at the heart of financial institutions’ digital strategies – both as an increasingly used banking interface or as an authentication means to secure other communication channels.
With PSD2 fast approaching, banks and fintech providers should get ready by following some rules for mobile security compliance. The RTS accepts the use of mobile devices without requiring hardware companions, so long as its security principles are fulfilled.
The compliance of mobile authentication solutions will depend on how banks or software developers implement them, and the RTS are setting high expectations. Specialized mobile-security vendors can easily cope with these, but in-house developers could find them harder to meet.
Mobile devices will continue to be at the heart of banks’ digital transformation even after the September 2019 deadline, so what should they do if they offer mobile solutions for eBanking and authentication? They should ask themselves if they have taken all aspects of security into account, including those that are specific to mobile banking. They need to make sure that they tick all boxes from the following checklist:
- Authentication data is stored and processed in specific secure environments, ensuring isolation from the standard mobile OS
- Confidential data is not stored, or is encrypted
- Accessing such data requires SCA
- They have enforced measures against data duplication
- Communication is encrypted
- Servers communicating with mobile devices must be authenticated
- Only the legitimate mobile device can receive or send authentication-related data.
Banks should review their mobile solutions now to make sure these considerations are taken into account.
A new world of opportunity
PSD2 is a customer-centric regulation that should lead to an improved customer environment, bringing benefits not only to end users but to all banking & payment parties. New partnerships and open-banking APIs with the right security level brought by SCA and risk monitoring can generate value by adding third-party capabilities to core offerings, capitalizing on consumer behavior and data, and making the multi-factor authentication process as easy as possible for the customer. Banks and fintech providers should not view PSD2 as a burden, but as an opportunity. Through investing and innovating now, they can not only prepare themselves for compliance, but steal a march on competitors by bringing innovative services to their customers first.
Emilie Casteran is head of banking and payments at Gemalto.