Online Banking Fraud Blog

PSD2 regulation: how it affects banking institutions and customers

Written by Asaf Yacobi | May 16, 2019

The European Union's General Data Protection Regulation (GDPR) dominated enterprise information technology headlines throughout 2018, as organizations worldwide grappled with the associated operational fallout.

However, as the buzz surrounding GDPR implementation droned on, another equally transformative piece of regulatory reform took effect: the Second Payment Services Directive (PSD2).

The legislation, which turned enforceable Jan. 13, 2018, mandates that all major European banks must allow sanctioned third-party account management and payment services providers to access their internal data, including customer information.

By requiring financial institutions to embrace cross-party data sharing through API, PSD2 regulation forms the foundation for an international open banking environment wherein consumers can seamlessly manage and move their money using numerous digital solutions, per Wired.

PSD2 and the open banking movement could very well transform how financial services businesses everywhere operate. With this reality in mind, entities in the industry should learn as much as possible about the legislation and the innovative approach on which it is based.

Unpacking the regulation

Europe's top banks - Allied Irish Bank, the Bank of Ireland, Barclays, Danske, HSBC, Lloyds, Nationwide, RBS and the Spanish group Santander - had long been required to facilitate cross-border digital transactions under the original Payment Services Directive, implemented in 2007, according to the European Commission.

While the legislation opened up the consumer banking market and facilitated the Single Euro Payments Area initiative, it featured fluid language that laid the groundwork for confusion among member states and uneven implementation.

To address these issues and make room for new account management and payment technologies, the EC revisited the law in the summer of 2013 and proposed the first iteration of PSD2, per Ernst & Young.

The European Parliament adopted the regulation in October 2015 and published it in the Official Journal of the EU in December that year, along with an enforcement deadline of January 2018.

PSD2 contains more than 100 articles which, together, catalyze some significant regulatory changes. According to the European Payments Council, these include:

  • Payment services provider recognition: The legislation empowers proven innovators in the digital payment space, lending these organizations access to an official registration system wherein they can gain the operational licenses needed to access bank data directly, so long as they gain explicit customer consent.
  • Customer authentication implementation: PSD2 tackles the issue of fraud by mandating the use of account holder authentication tools for all electronic payment operations. Under the law, both financial institutions and payment services providers must use two of the three following elements in multi-factor authentication settings: a password or pin, a physical asset such as a credit card and an identifying characteristic like a user fingerprint or voice. Entities managing remote payment services through online or mobile devices must provide an extra authentication element - an automatically generated code that links an amount to a specific payee, for instance.
  • Extended geographical reach: The regulatory reform uses the so-called "one leg out" approach, meaning it applies even if one party, either the bank or the customer, is outside of the EU.

PSD2 defines the external parties, labeled Third-party Payment Providers (TPPs), involved in the open-banking ecosystem and establishes behavioral expectations for each. These include:

  • Account Information Service Providers: These organizations tap into customer account information to provide various online financial services, including account aggregation and spending analysis.
  • Payment Initiation Service Providers: These groups authorize payments on behalf of account holders and integrate with online banking services to initiate and process outgoing transactions.

While PSD2's primary components centered on data sharing are currently active and enforceable, the EU has given European banks until September 2019 to comply with the law's account holder authentication requirements.

How exactly are the affected financial institutions supposed to achieve PSD2 compliance? By adhering to the Regulatory Technical Standards the European Bank Authority (EBA) packaged with PSD2.

The granular backend requirements laid out in the RTS, which mandate the use of two-factor authentication under Strong Customer Authentication (SCA) principles and other fraud prevention tools among TPPs which the EU sees as the basis for safe and effective open banking.

Understanding the customer benefits

The potential consumer advantages that come with open banking as imagined under PSD2 regulation are significant. For example, individuals with funds in different accounts at disparate institutions can manage all of their money, no matter its location, from one single TPP application, Wired reported.

Open banking also streamlines the payment process, allowing retailers to access funds directly from an account without working through acquirers and credit card companies. PSD2 regulation even makes it easier to apply for loans, as in an open banking setting, creditors can, with one-time permission from account holders, view the financial information they need to issue credit.

This is an especially big benefit for those with short credit histories, as lenders can get an accurate picture of their finances straight from the bank and make more informed issuance decisions.

Despite these benefits, consumer attitudes toward PSD2 have been mixed, according to survey data from Accenture.

While some appreciate the seamlessness that comes with using TPPs, many are concerned about security and would prefer that traditional financial institutions handle their information rather than external software providers. Even so, many customers are catching on to certain open-banking advantages.

For example, more than half of consumers are comfortable allowing payment initiation service providers to make payments on their behalf. And, almost 52% already employ or would be willing to use third-party money management apps.

These developments, along with long-term trends centered on consumer technology usage and perceptions surrounding market decentralization, have convinced the fintech business leaders who oversee TPPs that the widespread reticence surrounding open banking will not last long, according to McKinsey & Company.

In fact, many have watched their colleagues in the financial services industry come around to the idea over the last decade, opening the door to collaborations that they once considered anathema.

Gauging the industry reaction

Bankers are indeed generally supportive of the open banking methodology that PSD2 facilitates, per analysts for Accenture, who discovered that an estimated 79 percent of financial professionals believe the free exchange of institutional account information presents an opportunity for the industry.

However, many experts in the space, especially those navigating the EU, are not so excited about PSD2, CNBC reported. Why? For one, this brand of mass data sharing undercuts the competitive nature of the financial services marketplace, forcing natural adversaries to collaborate.

Additionally, PSD2 implementation introduces significant technical difficulties for banks and TPPs, especially on the client side. RTS emphasizes the prevention of client-side threats to customers and mandates the use of outward-facing data security tools and techniques. Traditionally, banks and similar financial institutions have focused on server-side defenses.

Consequently, many organizations in the space are struggling to satisfy the information-sharing requirements included in the legislation while also protecting customer data and avoiding financial penalties associated with the GDPR and other comparable regional and local regulations.

That said, even stringent opponents of PSD2 recognize that the emergence and crystallization of open banking is inevitable and are working to develop and deploy the technology needed to adjust to this change.

Banks elsewhere would be wise to take a similar approach, as PSD2 is expected to precipitate an avalanche of open banking legislation worldwide. Members of the U.S. Congress touched on the topic this past September during a meeting of the Senate Banking Committee, American Banker reported.

Latin American superpower Brazil is even further ahead on the open banking front, per Iupana, which reported that multiple financial institutions in the country are collaborating via API-driven data-sharing platform.

Revelock helps with PSD2 compliance

With these developments in play, banks everywhere must prepare for the maturation of open banking and PSD2 compliance through RTS implementation. Here at Revelock, we provide innovative, behavioral biometrics-based fraud prevention solutions designed specifically for deployment in the financial services sector.

Our product, called bugFraud, monitor user behavior and environment parameters - mobile movements, typing speeds, mouse motions, finger pressure, location, endpoint type and browser for instance - and generates detailed behavioral user profiles.

Powerful deep learning algorithms then constantly compare the data points included in the profiles against live system activity to spot instances of fraud.

It also includes web or mobile application and network analysis tools that can easily identify cybercriminals attempting code injection, malware or connection masking. Together, these features make bugFraud the ideal tool for banks and TPPs facing the main challenges that come with RTS adoption, including:

  • SCA application: bugFraud facilitates strong SCA via bleeding-edge behavioral biometrics tools.
  • Malware detection: bugFraud can pick up on common malware variants, including remote access Trojans.
  • Real-time risk analysis: bugFraud supports in-the-moment risk analysis through its behavioral biometrics-based fraud detection features.

Do you want to learn more about our solution how can enable your institution to harness the power of behavioral biometrics and achieve PSD2 compliance? Contact Revelock today.