By Dr Stephen Topliss, Vice President Product Strategy at ThreatMetrix
With the formal deadline for adoption into law of the second Payment Service Directive (PSD2) passed in January, organisations in the financial services industry will already be taking steps to modify systems and processes accordingly. While aiming to make electronic payments far more simple, transparent and secure, as well as spurring a whole new level of innovation and competition in an increasingly mobile-first world, the new regulations will not be without their challenges. Arguably, the biggest challenges for banks and payment players won’t be innovative new services, it will be the security behind them.
The European Commission is changing the fundamentals of trust and security in the digital commerce space in its quest to drive eCommerce growth and reduce fraud, therefore the higher level of security mandated by PSD2 will require banks and businesses to adapt their systems and business models accordingly.
Although fundamental changes to how data must be handled will inevitably present operational challenges to overcome, the opportunity such sweeping reforms will bring cannot be overlooked. By forcing a time line and dedicated action in areas that might otherwise have been the subject of debate for years before any real change, regulatory change universally raises minimum standards for an entire industry.
Balancing fraud vs. risk – the unintended consequences of Strong Customer Authentication
The clear issue with the implementation of strong customer authentication (SCA)is that it can create undue friction and negatively affect customer experience. Therefore, the challenge– and even the opportunity – for organisations is to adopt solutions that meet the more stringent PSD2 security requirements while offering a user experience that requires minimal or zero additional user intervention.
The exciting thing here is that it is spurring on technical innovation among organisations – and the vendors that support them – to completely rethink authentication and identity verification. Going beyond a layered approach to security, organisations need a dynamic, responsive approach that seamlessly incorporates risk-based and strong customer authentication techniques in order enhance security and compliance, without taking a backwards step in frictionless authentication.
Integrated, risk-based and strong authentication techniques are required, and organisations evaluating changes as a result of PSD2 should favour SCA methodologies that need minimal user intervention, such as strong device binding or biometrics such as thumb print on mobiles, which are very familiar to users.
Risk-based authentication(RBA) is allowed for certain low-risk transactions, while payment service providers (PSPs) can also apply it more broadly if they’re able to demonstrate low rates offraud. While acceptable thresholds are aggressive, PSPs will benefit immensely from deploying a combination of SCA and RBA for fraud prevention while focusing on delivering low-friction services. The PSD2 Regulatory Technical Standards (RTS) are addressed to the PSPs, which means that the merchants can continue to apply risk analysis to transactions with their customers.
The new risks and rewards created by PSD2
Although PSD2 has been designed to enhance the overall security of digital payments, it does also bring with it some risk of specific kinds of fraud.
For example, implementing PSD2, and its associated increased demands on customer authentication, could result in higher demand on call centers from blocked payments and/or increased customer friction, as well as having an impact on the efficiency of automated monitoring systems which are not tuned and calibrated to the new payment schemes and fraud scenarios.
At the same time, by opening APIs, new players will be introduced in the ecosystem, which in turn drives a need for a 24/7 operation of fraud investigation teams, along with implementing real-time fraud transaction monitoring systems. It is also introducing new payment flows directly from a customer’s bank account, using third party providers, which exposes more routes for fraudsters to infiltrate. Initially, it is likely there will also be an associated increase in compliance costs due to lack of historical data in new payments channels.
Over the past year, there has been an increase in botnet activity for the purpose of account testing – in calendar year Q1 2018 alone, the ThreatMetrix® Digital Identity Network®saw anew quarterly record of one billion bot attacks, 100 million of which were from mobile devices. Essentially, this activity is a result of criminals creating automated processes to test out credentials that have become available thanks to the many high-profile data breaches we have seen in recent history.
Although any fundamental adjustments to how data is secured and handled carries with it certain risks, this must be balanced with the potential positive outcomes. In this case, PSD2 is driving organisations that are subject to the directive to very carefully consider their stance on security, and provides an opportunity to both overhaul existing measures, and go above and beyond the minimum requirements in order to differentiate from the competition. As a result, the situation has created a platform for innovation, as teams strive towards the most efficient and sophisticated solutions to meeting – and exceeding – the new requirements.
Supporting third-party ecosystem growth with enhanced security
While the new regulation is meant to enhance overall security, PSD2 also establishes a framework for the many payment initiation and account information services delivered by emerging FinTech providers that are linked to consumer accounts. Essentially, consumers and businesses can give third party providers (TPP), as well as payment initiation service providers and account information service providers, access to user payment data. The TPPs can be FinTech providers, non-traditional players or established banks, and their growth and evolution will have a long-term influence on the payment and commerce ecosystem. For example, organisations may experience less direct contact with their customers, as well as reduced insights into various data needed for fraud detection.
On top of PSD2, the implementation of GDPR means customers will have to give consent for TPPs to access/process their payment data, therefore TPPs will not be able to do anything beyond what is explicitly authorised by the customer.
A further concern about data privacy and management is not with regards to third parties – where banks still maintain a degree of control as to how the data is used – it is how the data is handled by fourth parties who access it, as it’s a completely unknown quantity. This issue remains to be solved, and in the near future we may see further standards and guidelines specific to fourth parties introduced.
All this being said, the fact that security and privacy will be at the forefront of any and all third-party access enablement considerations further supports the demand for enhanced and, crucially, unobtrusive authentication. Any security measures that introduce friction and delays into the end-customer experience will be unacceptable, so banking organisations and their technology vendors will need to work together on solutions that ensure the highest level of security, without compromising the user experience.
Domestic, EU and beyond
Since the RTS does not mandate the specific technologies required to meet new standards within each EU member state, businesses will need to ensure their systems are able to operate seamlessly, not just for domestic transactions, but throughout the EU and internationally as well.
Organisations will be well served to find partners that can help them meet RTS security requirements without heavy infrastructure costs or the need for additional staff. As organisations throughout Europe stand on the precipice of PSD2, many questions remain and many are still in ‘watch and wait’ mode. There is no doubt that the new regulations will be a driving force behind new platforms and ecosystems that lead to new business models, and it will be critical for established providers to decide how to take advantage of the opportunity and not be left behind.
EU sets itself jobs, training and equality targets for 2030
By Jan Strupczewski
BRUSSELS (Reuters) – The European Commission on Thursday announced goals for the 27-nation bloc to reduce poverty, inequality and boost training and jobs by 2030 as part of a post-pandemic economic overhaul financed by jointly borrowed funds.
The EU executive arm said the European Union should boost employment to 78% in 2030 from 73% in 2019, halve the gap between the number of employed women and men and cut the number of young people neither working nor studying to 9% from 12.6%
“With unemployment and inequalities expected to increase as a fallout of the pandemic, focusing our policy efforts on quality job creation, up- and reskilling and reducing poverty and exclusion is therefore essential to channel our resources where they are most needed,” the commission said.
The goals, which will have to be endorsed by EU leaders, also include an increase in the number of adults getting training every year to adapt to the EU’s transition to a greener and more digitalised economy to 60% from 40% now.
Finally, over the next 10 years, the EU should reduce the number of people at risk of poverty or social exclusion by 15 million from 91 million in 2019.
“These three 2030 headline targets are deemed ambitious and realistic at the same time,” the commission said.
The goals are part of the EU’s set of 20 social rights, agreed on in 2017, to make the EU more appealing to voters and counter eurosceptic sentiment across the bloc.
They say everybody has the right to quality education throughout their lives and that men and women must have equal opportunities in all areas and be paid the same for work of equal value.
The unemployed have the right to “personalised, continuous and consistent support”, while workers have the right “to fair wages that provide for a decent standard of living”.
(Reporting by Jan Strupczewski; Editing by Nick Macfie)
UK aero-engineer Meggitt eyes return to growth after pandemic slump
LONDON (Reuters) – British engineer Meggitt said that it could return to profit growth in 2021 provided there are no further lockdowns, despite a weakening in the struggling aviation market at the end of 2020 and early this year.
Pandemic restrictions halted much flying globally last year and forced plane makers Boeing and Airbus to cut production rates, dragging down suppliers like Meggitt, which makes and services parts for such aircraft.
Meggitt’s underlying operating profit plunged by 53% to 191 million pounds ($267 million) in 2020, it said on Thursday, despite continued growth in its defence business which makes parts for military jets and accounts for about 45% of the business.
Meggitt, however, said it expected air traffic to recover in the second half of the year which would help it return to profit growth over the year, although its guidance for flat revenue disappointed analysts who had expected growth of 6%.
Meggitt’s Chief Executive Tony Wood said in November that he had expected flying to start to recover by Easter, but new variants have led to more restrictions and delayed the recovery.
“It has gone back a couple of months… it’s now very much in the summer,” Wood said of the recovery in an interview on Thursday.
Further in the future, Meggitt is positioning itself for the move to lower emissions flying, and its sensors and electric motors will be used on electric urban air mobility platforms, such as flying taxis, and in hybrid aeroplanes being developed.
But Meggitt said new tax breaks announced in Britain’s annual budget on Wednesday aimed at encouraging investment would not change its plans.
“Yes, it will be a benefit. Are we looking at any acceleration as a result specifically of that? Not really,” Woods said.
Shares in Meggitt were down 1% to 427 pence at 0943 GMT. The stock has risen by 50% since news of a COVID-19 vaccine last November, but is still down 23% on where it was pre-pandemic.
($1 = 0.7165 pounds)
(Reporting by Sarah Young; Editing by Alistair Smout and Susan Fenton)
UK’s Sunak will struggle with plan for tax hikes and spending cuts – IFS
LONDON (Reuters) – British finance minister Rishi Sunak will probably have to offer concessions to businesses if he wants to be able to implement a big hike in corporation tax that is at the centre of his new budget plan, a leading think tank said on Thursday.
The Institute for Fiscal Studies also said it was very unlikely that Sunak would be able to deliver the 17 billion pounds annual spending cuts included in his plan.
IFS director Paul Johnson said if the plan was implemented as announced on Wednesday, Sunak would meet one definition of a balanced budget – borrowing only to invest – by 2025-26.
“The sad truth is that that would be a balance built on the highest sustained tax burden in UK history and yet further cuts in unprotected public service spending,” Johnson said.
“That is perhaps one measure of the difficulties presented by more than a decade of paltry growth followed by the deepest recession in history.”
(Writing by William Schomberg, editing by David Milliken)
Shell changes senior UK leadership in global overhaul
By Ron Bousso LONDON (Reuters) – Royal Dutch Shell is changing the senior leadership of its operations in Britain as...
British Airways prepares for travel restart with testing kit plan
LONDON (Reuters) – British Airways has struck a deal with a COVID-19 testing kit provider as airlines prepare for the...
France announces loan plan to spur post-COVID business investment
By Leigh Thomas PARIS (Reuters) – The French government on Thursday launched a new programme to relieve small and mid-sized...
EU sets itself jobs, training and equality targets for 2030
By Jan Strupczewski BRUSSELS (Reuters) – The European Commission on Thursday announced goals for the 27-nation bloc to reduce poverty,...
UK aero-engineer Meggitt eyes return to growth after pandemic slump
LONDON (Reuters) – British engineer Meggitt said that it could return to profit growth in 2021 provided there are no...