Search
00
GBAF Logo
trophy
Top StoriesInterviewsBusinessFinanceBankingTechnologyInvestingTradingVideosAwardsMagazinesHeadlinesTrends

Subscribe to our newsletter

Get the latest news and updates from our team.

Global Banking and Finance Review

Global Banking and Finance Review - Subscribe to our newsletter

Company

    GBAF Logo
    • About Us
    • Profile
    • Privacy & Cookie Policy
    • Terms of Use
    • Contact Us
    • Advertising
    • Submit Post
    • Latest News
    • Research Reports
    • Press Release
    • Awards▾
      • About the Awards
      • Awards TimeTable
      • Submit Nominations
      • Testimonials
      • Media Room
      • Award Winners
      • FAQ
    • Magazines▾
      • Global Banking & Finance Review Magazine Issue 79
      • Global Banking & Finance Review Magazine Issue 78
      • Global Banking & Finance Review Magazine Issue 77
      • Global Banking & Finance Review Magazine Issue 76
      • Global Banking & Finance Review Magazine Issue 75
      • Global Banking & Finance Review Magazine Issue 73
      • Global Banking & Finance Review Magazine Issue 71
      • Global Banking & Finance Review Magazine Issue 70
      • Global Banking & Finance Review Magazine Issue 69
      • Global Banking & Finance Review Magazine Issue 66
    Top StoriesInterviewsBusinessFinanceBankingTechnologyInvestingTradingVideosAwardsMagazinesHeadlinesTrends

    Global Banking & Finance Review® is a leading financial portal and online magazine offering News, Analysis, Opinion, Reviews, Interviews & Videos from the world of Banking, Finance, Business, Trading, Technology, Investing, Brokerage, Foreign Exchange, Tax & Legal, Islamic Finance, Asset & Wealth Management.
    Copyright © 2010-2026 GBAF Publications Ltd - All Rights Reserved. | Sitemap | Tags | Developed By eCorpIT

    Editorial & Advertiser disclosure

    Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

    Home > Banking > PSD2 – the challenges facing the banks when it comes to third party application data access
    Banking

    PSD2 – the challenges facing the banks when it comes to third party application data access

    Published by Gbaf News

    Posted on May 7, 2019

    5 min read

    Last updated: January 21, 2026

    PSD2 – the challenges facing the banks when it comes to third party application data access
    Why waste money on news and opinion when you can access them for free?

    Take advantage of our newsletter subscription and stay informed on the go!

    Subscribe

    Tags:APIscybersecurity industriesData-protectionmobile banking

    By Andrew Whaley, VP Engineering, Arxan Technologies

    The next big challenge on the horizon for both the banking and cybersecurity industries comes from impending updates to the EU’s Payment Service Directive (PSD) coming into effect in 2018. The revised directive, known as PSD2, will enable bank customers – including both individual customers and businesses – to conduct their finances through third-party providers. The updated mandate is aimed at providing more flexibility and freedom to users, with customers essentially being able to mix and match individual solutions as they see fit, without having to transfer money from their original accounts to create new ones. This will extend to non-banking solutions as well, for example, paying bills or transferring money via social media.

    Andrew Whaley

    Andrew Whaley

    Nevertheless, this increased flexibility does not come without some major security concerns. Despite Mobile OS’s actively discouraging the linking of applications to ensure data protection, banks are going to be obligated to provide application programme interfaces (APIs) to allow third-party providers access to their customers’ accounts. The only way the new directive will function effectively and securely, will be through the mobile banking application itself. However, the PSD2 does not specify how secure this access will be, nor, what risks will arise, and for who.

    Integration and communication

    As the PSD2 will only function securely through the mobile banking application, there has to be perfect integration and authentication between the banking and third-party applications sharing its data.

    Mobile phone systems themselves actively discourage secure communication between applications because they prefer to keep each individual applications separate, in order to protect the privacy of the end user. No application is able to see what other applications are installed on the mobile phone because barriers have been put in place to avoid the mobile phone working as an interim solution. However, the PSD2 is looking to break these barriers.

    The issue comes with the connection between the banking app and the third party app, a point at which attackers can intercept data going from one to the other, or plant malware. Guaranteeing secure integration, authentication, and communication between the two applications on the mobile device is no simple task. The desired end is to ensure that completely secure communication occurs so that at no point can either of the applications be manipulated, nor data leaked. However there is great complexity associated with guaranteeing secure integration between the two applications on the endpoint – predominantly on a mobile phone or tablet. If an attacker is to intercept the communication, it is possible for them to create a malicious version of the application and discreetly access bank account data.

    Who holds responsibility?

    Unfortunately the onus mostly falls on the banks, with further effect on their customers. It is the customer that will have to authenticate on the third party application, be it Facebook, Twitter or any other mobile app, providing it with permission to access their bank account information. The third party application will then call over to the banking app for permission to access the user’s bank details, leading the banking application to request permission for the third party application to have ongoing access. The customer will then have to confirm and authenticate this request.

    Grey areas

    The PSD2 contains a number of grey areas, some of which will worry the banks, and others more their customers. Unfortunately, while the directive seems to lay down the law for what it wants the banks to do it, does not specify how any of its mandates are to be achieved. With regard to the APIs, the PSD2 has not proposed a standard as such. This means one bank could publish one set of APIs, while another could publish another completely different set of, leading to a need for different authentication and communication between the mobile applications. This would then create problems when it comes to consuming these APIs as, depending on which bank the customer has their account with, the third-party application through which the account is being accessed will potentially have to build a different adapter and a different API to access the required data. This is mostly an issue for the customer as it may prevent them from being able to access their data through the application they want to use. Additionally, customers may feel their banking data is no longer secure, effecting the reputation of the banks.

    PSD2 is quite clear that the banks are still responsible for the ownership, safety and confidentiality of their customers’ account data. The only way the banks can counter this is to implement the technology and counter measures that they already have in place in their mobile applications. They will basically have to force an authorisation through the app which should then mean they will be able to directly communicate with the end user at the point before the third party application has been given any access to the data.

    What can be done? 

    As mentioned, a big problem with the PSD2 mandate is there is no technical detail over how the banks will securely publish their APIs. The best solution for this would be to instigate a call to action for all the banks to club together and establish mutual standards over how to secure the API, how to secure the authentication, as well as what their code of connection will be, for anyone that wants to use it. This will give a general framework for everyone else to work towards, encouraging harmony across the banking industry.

    Unfortunately standards like these will not come into effect immediately, meaning they will not have been established when the directive is implemented in January of next year. Although introducing such a framework will be the most effective solution, in the meantime there are solutions available to provide protection for both the banking applications and the third party applications looking to integrate and access bank customer account data.

    More from Banking

    Explore more articles in the Banking category

    Image for Banking Without Boundaries: A More Practical Approach to Global Banking
    Banking Without Boundaries: A More Practical Approach to Global Banking
    Image for Lessons From the Ring and the Deal Table: How Boxing Shapes Steven Nigro’s Approach to Banking and Life
    Lessons From the Ring and the Deal Table: How Boxing Shapes Steven Nigro’s Approach to Banking and Life
    Image for The Key to Unlocking ROI from GenAI
    The Key to Unlocking ROI from GenAI
    Image for The Changing Landscape of Small Business Lending: What Traditional Finance Models Miss
    The Changing Landscape of Small Business Lending: What Traditional Finance Models Miss
    Image for VestoFX.net Expands Education-Oriented Content as Focus on Risk Awareness Grows in CFD Trading
    VestoFX.net Expands Education-Oriented Content as Focus on Risk Awareness Grows in CFD Trading
    Image for The Hybrid Banking Model That Digital-Only Providers Cannot Match
    The Hybrid Banking Model That Digital-Only Providers Cannot Match
    Image for INTERPOLITAN MONEY ANNOUNCES RECORD GROWTH ACROSS 2025
    INTERPOLITAN MONEY ANNOUNCES RECORD GROWTH ACROSS 2025
    Image for Alter Bank Wins Two Prestigious Awards in the 2025 Global Banking & Finance Awards®
    Alter Bank Wins Two Prestigious Awards in the 2025 Global Banking & Finance Awards®
    Image for CIBC wins two Global Banking and Finance Awards for student banking
    CIBC wins two Global Banking and Finance Awards for student banking
    Image for DeFi and banking are converging. Here’s what banks can do.
    DeFi and banking are converging. Here’s what banks can do.
    Image for Are Neo Banks Offering Better Metal Debit Cards Than Traditional Banks?
    Are Neo Banks Offering Better Metal Debit Cards Than Traditional Banks?
    Image for Banking at the Intersection: From Nashville to Cannes, A Strategic Call to Action
    Banking at the Intersection: From Nashville to Cannes, A Strategic Call to Action
    View All Banking Posts
    Previous Banking Post“Your basket contains: one microwaveable lasagne, and a mortgage. Proceed to checkout”
    Next Banking PostThe future of blockchain in banking