Commissioned by ForgeRock
1 Executive Summary
Just as Automated Teller Machines (ATM) changed the way customers interact with their banking institutions, eliminating the need to wait in line to talk to a person to make a bank transaction, so too will the Revised Payment Services Directive (PSD2) change banking by enhancing the single payment market across the European Union (EU). PSD2 aims to enhance digital competition by levelling the playing field for new entrants to the financial market. The regulation proposes to make financial transactions cheaper, safer, faster, and more transparent. To help accomplish this, PSD2 will allow Third Party Providers (TPPs) to access customer data at financial institutions via secure APIs once the customer gives the TPP consent to share their bank data.
From a technical perspective, PSD2 drives improvements in two major functional areas:
- Opening new financial service APIs, and properly securing them.
- Strong Customer Authentication (SCA), transactional risk analysis, and malware mitigation in transaction processing
Concerning SCA, KuppingerCole’s whitepaper ForgeRock Identity Platform capabilities for Authentication under PSD2, provides in-depth analysis regarding PSD2’s Strong Authentication requirements and how ForgeRock’s Identity Platform will help to meet this requirement.
With regards to APIs, banks (ASPSPs) are required to open access to their systems for other financial service providers (TPPs) so they may obtain user authorized account information and initiate payments. Though banks began moving to online services years ago and many now offer mobile apps, studies show that many banks in the EU are not prepared to allow secure, consent driven, programmatic access from a potentially large number of external Third-Party Providers. To enable a new and secure financial ecosystem, APIs are being refined and standardized in an open source manner. Most banks will need to build an infrastructure to support the PSD2-mandated APIs. This new infrastructure must be designed with defense-in-depth principles, including data, network and API security, as well as a trust framework for regulated external service providers and related identity and access management.
Like ATMs, PSD2 has the potential to radically change the financial sector in the EU
Conversely, new financial service providers that need to interact with banks must prepare for PSD2 implementation. They will use the APIs to get user-authorized account information and initiate payments with banks. They will need to establish trust with the banks with which they will do business. Many of these TPPs are becoming regulated by National Competent Authorities for the first time, which is crucial in order to ensure that access to customer data held in banking systems is only available to valid third parties.
In this paper, we will dive deeper into the technical requirements that banks and financial service providers will face in preparing for EU PSD2, as well as the implications for banks and other financial services organizations. Finally, we will examine how the ForgeRock Identity Platform can assist banks and TPPs with meeting the challenges of PSD2.