Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Will PSD2 Hinder Rather Than Help the Battle Against Fraud?

Yogesh Patel, Chief Data Scientist Callsign

As part of the Open Banking movement, PSD2 (Revised Payment Services Directive) came into effect in January and has been heralded as a revolutionary way to help deliver the best services and deals to banking customers.

In tandem, part of the legislation requires a strong authentication process whenever a payment is initiated, or remote account access is requested – known as SCA (strong customer authentication).

SCA is being implemented primarily to reduce online payment fraud. For it to be achieved, authentication from two independent dynamic factors from the following is required:

  • Possession: something you own (e.g. mobile phone or tablet)
  • Knowledge: something you know (e.g. a password or PIN code)
  • Inherence: something about you, (e.g. a biometric fingerprint, facial scan, behaviour)

While this all sounds very positive for the consumer, SCA could bring with it a number of security and integration challenges, reason being that any financial institution that hold funds for payments are now accountable for managing their customers’ digital identities.

Yogesh Patel
Yogesh Patel

So, why is this an issue? Firstly, the new SCA method will need applying to a range of existing and potentially disparate channels. A majority of the channels in question normally lie across banks’ legacy systems, therefore, the probability that retail banks will already be facing an omnichannel authentication challenge is extremely high, even without the additional implications of the PSD2. With the added complexity of SCA and requirements for Transaction Risk Analysis (TRA), as well as current customer preferences, problems with security and integration could accelerate to the top of the agenda.

Additionally, there are a wide range of use cases to contend with. In fact, PSD2 actually states that SCA has to be applied whenever an online account is accessed, or electronic payment is carried out, or ‘any other remote access method that may expose the payer to fraud’, unless it is covered by an exemption. Compounding the problem is that different demographics are likely to be familiar with different authentication methods. For example, some individuals don’t have access to mobile phones, some don’t use banking apps, some prefer using a tablet over a desktop computer etc. Ideally, SCA should be intelligent enough to be able to provide the most appropriate solution depending on the type of device or application being used at that moment. It is important that a ‘one size fits all’ solution is avoided.

Ironically, this could end up with SCA leading to more abandoned transactions than usual if a more appropriate user authentication technology is not implemented, with the unfortunate knock-on effect of actually expanding the number of attack vectors a cybercriminal can exploit.

This problem is also complicated by adding the requirements of dynamic linking, whereby elements of authentication dynamically link the transaction to a specific amount and a specific payee. Whilst this adds an extra layer of security, there are additional regulatory requirements that must be met. For example, the payer must be made aware at all times of the amount of the transaction and of the payee and the authentication code must be specific to the amount of the transaction and the payee.

As users become accustomed to being prompted for credentials in circumstances other than direct online banking services, the opportunity for a new set of phishing attacks and the instrumentation of false authentication journeys is created. This exposes consumers to a new series of risks that don’t exist today –in spite of the fact that the intent behind the PSD2 is to decrease fraud and risk.

Combined, this creates something of a multi-layered predicament for banks. While they’re obligated to provide access to accounts through the PSD2, they’ll face significant penalties under the new GDPR if that access is breached. This explains why there’s a premium placed on getting the implementation of SCA right first time and on safeguarding that the digital identities of financial institutions’ customers are accurately managed.

However, it’s not all doom and gloom and banks shouldn’t view SCA as an additional hurdle. Having to act as a ‘gate-keeper’ to their customers’ data means banks will have full responsibility for identity verification whenever authorised third-parties request access to or initiate payment from a user’s account. Although this does bring with it a vulnerability to GDPR penalties it also creates a huge opportunity for them to develop a fully-federated identity service, which can itself be used to leverage new business opportunities, along with the chance to profit from that SCA solution to third parties.

A common issue facing any company that requires its customers to go through an authentication process is the added friction to the customer journey. At first glance, this is particularly problematic for third-parties as implementing two-factor authentication can be extremely costly. However, recent developments in identity technology means that a disrupted customer experience will soon be a thing of the past. These new solutions don’t just benefit the customer, but banks and third-parties too. By banks offering their SCA to third-parties for a small price, third-parties would avoid the need to implement their own costly authentication processes and gain from the awareness customers already have with the bank’s authentication process, avoiding common pitfalls such as frequently forgotten credentials. What this means for banks is that they can offset the costs of PSD2 with this new revenue stream.

Intelligence-driven, adaptive authentication solutions that create a unified, seamless digital identity for each customer is now at our fingertips and will become a key pillar for banks’ success in customer satisfaction. By using an authentication tool that incorporates both hard (facial recognition, fingerprints, iris scanning) and soft (behavioural characteristics e.g. how people type, move their mouse or hold their smartphone) biometrics, such as Callsign’s Intelligence Driven Authentication solution, banks can now deploy the most appropriate authentication action for the user while maintaining a frictionless user interface, enabling customers to get on with their digital lives.