Better prepared

Former MBNA/Bank of America product development director Brendan Jones is now a part of the leadership team at Konsentus. He looks at the challenges that organisations are facing from PSD2 Open Banking.

 

Q: How has your career to date informed your opinions on the changing payments landscape?

I have worked in the payments arena for more than 30 years, working for a wide range of companies from technology providers to banks and consulting. This has given me a rounded view of the world when it comes to payments and banking and the challenges many banks face in meeting new regulatory hurdles. 

Q: What is the biggest change coming from the implementation of PSD2 Open Banking?

The most transformative thing over the next three years is going to be the adoption of push payments or pay-by-bank services. The traditional methods of payments based on card transactions will face tough competition from pay-by-bank payments, which will threaten the existing card payment networks.

If we look at the operations of Google, Amazon, Facebook and Apple – aka GAFA – this pay-by-bank initiative will be ideal for them as very large merchants. They will be able to circumvent the existing networks, using direct bank-to-bank rails to get paid. That is going to threaten the incumbents and it will align with the European Commission’s aim of breaking the effective duopoly of the existing payment network operators.

When it comes to PSD2 Open Banking people make the mistake of talking about Europe in broad terms, but it is dangerous to do that. There are 31 countries within the European Economic Area (EEA) and the demographics are very different in each country, as are each population’s attitude to payments. In the UK, card-based payments are overtaking cash, but if you go to other European countries like the Netherlands or Germany, cards are not nearly as prevalent for online payments.

Q: How is Konsentus helping clients embrace the opportunities from Open Banking?

Konsentus offers third party provider (TPP) Identity & Regulatory checking services, ensuring that financial institutions are PSD2 Open Banking compliant. The service is delivered through a SaaS-based solution using restful APIs with no set-up fee. Konsentus covers all the EEA 31 national competent authorities (NCAs), working with the European Banking Authority’s TPP Register and 70+ qualified trust service providers, to ensure financial institutions never provide data to unregulated TPPs.

Q: Why is monitoring of third party providers vital?

Financial institutions need to ensure that data is only ever provided to a correctly-regulated TPP. TPPs are not required to have contractual relationships with the financial institutions to access payment accounts. So when a TPP knocks on the door (API) of a financial institution, they have no way of verifying the TPP’s identify, other than through the documentation the TPP presents.

PSD2 Regulatory Technical Standards state that TPPs should use eIDAS (electronic identification, authentication and trust services) certificates to identify themselves. However, these are much like an MOT certificate in the UK (car road test certificate), which only says a car is roadworthy the moment it passes the test. As soon as it is driven off, it is a dated document. Likewise, an eIDAS certificate is only as good as the time it was issued. After that it only proves who an organisation was when it was granted regulatory status.

In addition to proving who a TPP is, financial institutions also need to check they have the appropriate regulatory status to receive the information they are requesting – AISP/PISP.  If a financial institution provides the wrong data, or data to an unapproved TPP, they are potentially in breach of PSD2 and GDPR.

Q: Are there not free databases in the market that financial institutions can use?

Yes, the European Banking Authority’s database is free. However, it is only updated twice a day and once daily by the NCAs. It only lists payment institutions, electronic money institutions and TPPs regulated or approved by NCAs; it does not cover credit institutions. The database is online and machine-readable but is not real time and once a financial institution downloads it, they then need to build the interrogation and management platform around it.

While the NCA databases are also free, none today are machine readable and online. Crucially these databases are the source data for a TPP’s regulatory status. Thus, a financial institution would need to work with all 31 NCAs in order to have an up-to-date database. Neither the EBA or NCA databases provide online support for TPP identity checking, and thus this capability also needs to be built to interrogate and manage this data.

Q: There has been much discussion over whether PSD2 Open Banking will increase security risks. What are these and how can organisations protect themselves and their customers?

The simplest risk is that data is given to an unregulated/unapproved TPP or provided without the explicit consent of the Payment Service User (PSU).

In terms of authentication processes through the API, there are three main authentication models:

1. Redirection – customer is redirected to the financial institution’s domain (online portal or app) for entering bank-issued security credentials and then directed back to third party provider.
2. Decoupled – customer uses a separate device (for authentication) to the device on which the third party app or website is being used.
3. Embedded – customer’s ASPSP-issued credentials are given directly to the TPP

Strong customer authentication is achieved by using two out of three specified elements:

• Knowledge – e.g. password.
• Possession – e.g. card details (CVV, PAN), one-time SMS code.
• Inherence – e.g. fingerprint or other biometric elements.

Strong customer authentication must be applied (unless exemption available) where the payer makes an electronic payment or the customer accesses account data, directly or via a third party provider.

The greatest risk to PSUs will be an increase in phishing attacks where fraudsters try and get users to voluntarily push payments to an account that has been taken over. However, in the UK new voluntary requirements around payee recognition from UK Finance, commonly referred to as Confirmation of Payee, along with other elements of security, are being put in place to help combat this risk.