Commissioned by Onegini
1 Executive Summary
In the European Union, the Revised Payment Services Directive (PSD2) will radically alter the financial services landscape. It has already begun to create a more competitive environment, with new business entities arising to offer additional financial services, such as acquiring account information and presenting it to consumers and initiating payments directly from accounts at traditional financial institutions to merchants and other electronic service providers.
From a technical perspective, PSD2 necessitates improvements in two major functional areas:
- Strong Customer Authentication (SCA)
- Opening new financial service APIs, and properly securing them
Concerning SCA, in most cases, authorization and access control are predicated upon authentication, i.e. determining if the subject is who/what it purports to be. Regulations often stipulate the level of authentication assurance that is necessary for certain types of actions to be performed on systems and data. PSD2, at a high level, requires “strong authentication”. The directive relies upon the standard definition, which requires two of these three factors: something you know, something you have, and something you are.
The many problems with username/passwords are well known leading to the conclusion that there is no such thing as a strong password. Higher assurance authentication is fundamental to reducing risk of fraud and data loss. Stronger authentication techniques also enable greater compliance with regulations such as PSD2.
PSD2 will spur the adoption of these new authenticators in the quest to achieve SCA. Authenticators with a higher degree of usability, such as mobile push and mobile biometrics apps, are likely to be preferred and become dominant. Authenticator form factors such as Smart Cards and USB tokens will probably not be deployed by banks or fintechs due to the fact they are less user friendly.
With regards to Application Programming Interfaces (APIs), banks will have to present APIs to Third Party Providers (TPP) to get user account information and initiate payments. Though banks began moving to online services years ago and many now offer mobile apps, studies show that, as of late 2017, most banks in the EU are not prepared to allow programmatic access from a potentially large number of external financial service providers. Standard APIs are being refined in an open source manner. Most banks will need to build an adjunct infrastructure to support the PSD2-mandated APIs. This new infrastructure must be designed with defense-in-depth principles, including network and API security, plus a trust framework for external service providers and related identity management.
PSD2 is changing the financial sector in the EU
Conversely, TPPs which need to interact with banks must prepare for PSD2 implementation. They will use the APIs to get account information and initiate payments with banks. They will need to establish trusts with the banks with which they will do business. Many of these TPP fintechs may offer SCA as a service also, for their own customers, as a service to other fintechs, or perhaps even to banks.
This paper will dive deeper into the technical requirements that banks and financial service providers face in preparing for EU PSD2. We will also discuss the ramifications for banks and other financial services organizations. Finally, we will examine how Onegini Connect platform can assist TPP fintechs in meeting the challenges of PSD2. Out of scope for this paper is the discussion of organizational and governance related requirements for TPP’s in preparing for EU PSD2.