PSD2 Deadline May Have Moved – What Will Change for Banks?

By Marcin Nadolny, Head of Regional Fraud & Security Practice at SAS

The Europe-wide PSD2 implementation deadline will fall on 14 September. In the UK, it has now been confirmed that the official compliance deadline for the Secure Customer Authentication section of the regulation will be pushed out to March 2021. UK companies must be able to demonstrate that they are moving towards compliance from September 2019, but no enforcement action will be taken for 18 months. For the rest of the EU in general, the timeline is unchanged. However, national competent authorities have the flexibility to provide limited additional time to become PSD2 compliant (see the recent EBA opinion).

The big picture

But whichever country you’re in, it’s essential that companies recognise the urgency at play. In the new digital world, payment security is absolutely essential. The question now is not whether PSD2 compliance should remain at the top of the priority list. It’s how quickly companies can realistically achieve it. In a nutshell, PSD2 simultaneously massively increases the amount of financial data moving into banks’ systems while also making it mandatory that they run fraud controls on that data in real time.

As PSD2 ushers in the age of open APIs in finance, the traffic volume that payment processors will have to handle will be enormous. Consumers’ personally identifiable data will be at heightened risk, and we will observe increased malware attacks and data breaches via the newly created attack vectors. If businesses aren’t prepared for the change, it’ll be a fraudster’s paradise.

Is your organisation ready to cope with this new heavy traffic and identify fraudulent activities? It might be like finding a needle in a haystack. Fortunately, AI is coming to the rescue. Emerging technologies, such as predictive models, network analytics and anomaly detection, all have the power to increase your efficiency in finding and fighting fraud.

Real-time fraud detection

PSD2 is more than just a regulation. It’s the start of a major transformation for the payments industry. With the move to digital-first, open models, there’s an increased need to operate processes in real time – providing instant payments, for example – and that means that fraud prevention will need to move at the same speed.

Adequate anti-fraud protection is required by the regulation. Banks are expected to fill out certain tests as a fraud assessment, including reviewing behavioural profiles, checking known compromised devices and IDs, applying known fraud scenarios to transactions, and detecting malware signs. Analytics can help speed up detection, find suspicious behaviours and collate data points by ingesting new data sources. This builds a picture of “normal” behaviour against which banks can measure transactions.

At present, not all banks are applying all these anti-fraud measures. Some base their protection on simple rules and aren’t able to detect fraud in real time or stop transactions in progress. These abilities aren’t technically required by the regulator until PSD2 comes into effect. Real-time fraud prevention used to be a luxury – but now it’s a must-have. Banks must take the initiative to ensure they can detect fraud in process in incredibly short time frames.

Third parties enter the market

The other major change included in PSD2 is the arrival of third-party providers in the market. These nonfinancial companies, including GAFA (Google, Amazon, Facebook and Apple), e-tailers and fintechs, will be able to work as payment processors going between customers and banks. This means the banks have a much bigger traffic volume to handle and review for fraud. Legacy systems and processes simply can’t handle it.

In order to cope, banks need to have systems in place that are able to assess for fraud at huge volumes and in real time. Not only that, but transactions from third parties might come with limited contextual information. So banks will have to enrich them with additional data on variables including digital identity, reputation and past behaviour.

AI applications will be essential to handle that ongoing enrichment at speed. Humans alone simply can’t process that level of information. So it’s essential that banks invest in AI to augment the skills they have and lighten the load of compliance.

Managing the risk

The risk to banks posed by these growing data streams is not just in terms of payment fraud. There is also a heightened cybersecurity risk. New data flows and new payment systems present possible system back doors and new attack vectors that hackers will be quick to discover. By attacking third party infrastructure, malicious actors will be able to gain access to consumers’ personal data.

 Addressing this problem is not the sole responsibility of the banks. But it highlights the level of risk associated with the increase in data volume and connectedness. Reputational damage and heavy fines are a very real possibility for institutions that don’t get their act together in time.

Compliance will require many changes to anti-fraud and customer identification processes. The technology required to handle this additional burden is out there. Banks must invest wisely and ensure they are fully equipped, whether next month or by 2021.

SAS will be attending the 2019 SIBOS conference in London, where PSD2 will be a key item on the agenda. Visit our stand to find out more about how AI could help you get ready for the deadline.