Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


The forgotten half of PSD2

By Amir Nooriala, CCO, Callsign 

Amir Nooriala, CCO, Callsign

One of the core objectives of open banking is to drive innovation within the financial services sector. While banks continue to be the gatekeepers of all customer account data, the regulations and mandates around open banking necessitates that these institutions make their data available to any aggregator that connects to it. 

However, due to the different requesting organisations wanting to use the data, the gatekeepers need to ensure they’re doing this securely, otherwise this could compromise not only the gatekeeper, but the entire open banking system. The legislation has led to an explosion of new challenger banks, technologies and ecosystems to give consumers greater choice around who they use for their financial services. It also enables banks to access similarly innovative services, as well as potentially more customers and channels. 

However, despite rising popularity of open banking, different regions have taken fundamentally different approaches. The European Union has chosen a more regulatory approach to open banking, passing PSD2 to level the playing field. 

Despite the activity within Europe around open banking, it’s just one half of the story when it comes to innovating payments. Many forget the crucial other half of the equation: authentication. In this article, I’ll discuss why it’s vital that both open banking and authentication be considered in tandem if businesses are to truly meet the aims of PSD2 and foster digital trust.  

What is PSD2?

The revised Payment Services Directive (PSD2) was introduced by the European Union to regulate payment services and service providers. First proposed in 2013, PSD2 aims to promote payment innovation, competition and efficiency across the EU. 

The key objectives of PSD2 are to:

The two significant and intra-linked developments under PSD2 are: the liberation of account data (open banking), and the introduction of new, more secure authentication requirements (Strong Customer Authentication)

The first development under PSD2 requires banks to share raw account data with third-party providers, based on customer permissions. Application Programming Interfaces (APIs) allow third-parties to initiate payment transactions on behalf of the customer

In the UK, the nine largest banks were originally mandated to share their data. But since then, many other banks have followed suit in recognition of the opportunity for market innovation, as well as the benefits it brings customers.

This development forms the basis of open banking, and it has seen significant uptake in other parts of Europe over the past couple of years.

The second major development under PSD2 is known as the ‘Regulatory Technical Standards’ (RTS) for Strong Customer Authentication (SCA). SCA aims to enhance the security of payments by introducing the requirement for stronger authentication and consumer protection to limit the potential for fraud. Payment service providers are required to apply the rules of SCA when a customer accesses their payment account online or makes an electronic payment.

The Challenges

Now we’ve covered exactly what PSD2 is, we can look at the challenges that come with it. They are two-fold: 

  • Opening up digital channels introduces risk

Open banking accelerates financial services innovation in every market it’s introduced to. As banks now must share their data with aggregators, this has also opened them up to numerous unsecure digital channels. However, because open banking journeys are orchestrated through redirect flows, this potentially exposes banks to countless unsecure digital channels. 

So, users are redirected to their bank’s web login page or banking app to give consent when they need to authenticate their identity, authorise access to account information or initiate a payment. Traditional authentication mechanisms such as usernames, passwords and SMS One-Time Passcodes (OTP) add considerable friction to this process. And since they rely on analogue processes, they’re detrimental to the success of PSD2’s full objectives in the region.

  • SMS OTPs are not a long-term solution 

Widespread use of mobile phones has led to their adoption as a common authentication mechanism for transaction authorisation and identity verification. Typically, this comes in the form of an SMS OTP alongside a username and password. 

Under SCA, the use of SMS OTPs is categorised as a “possession” factor, based on the possession of a SIM-card associated with the respective mobile number. SMS OTPs are typically used because it’s seen as an easy to implement solution – one customers are familiar with and know how to use. 

However, it’s becoming ever more apparent that there are significant disadvantages to using of SMS OTPs for authentication purposes, namely: 

  1. Security vulnerabilities
  2. Poor customer experience
  3. Cost implications 

Whilst the move to multi-factor authentication is a welcomed enhancement to user security, approaches that rely on SMS OTP represent only the first stage in the evolution of digital authentication.

The solution 

For the purposes of proving possession for authentication, alternative and more secure methods to SMS OTP exist. 

In Europe, the EBA has recognised that approaches relying on mobile apps, web browsers or the exchange of public and private keys, can be used as evidence of possession. They must simply include a device-binding process that ensures a unique connection between the user’s app, browser or key and the device. 

New technologies offer secure and reliable methods of device identification that are more privacy-preserving. It’s important that data being accessed from gatekeepers – such as banks – is done so in an secure manner. The use of behavioral biometrics in a securely bound device represents a stronger method of authentication than SMS OTPs. 

This is something that European banks and retailers are now looking to implement as part of the 3DS2.0 roll-out. This approach should help reduce costs, risks and vulnerabilities, while at the same time enable seamless, frictionless authentication for e-commerce user journeys.

Continue Reading

Why pay for news and opinions when you can get them for free?

       Subscribe for free now!

By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Posts