By Amir Nooriala, CCO, Callsign
One of the core objectives of open banking is to drive innovation within the financial services sector. While banks continue to be the gatekeepers of all customer account data, the regulations and mandates around open banking necessitates that these institutions make their data available to any aggregator that connects to it.
However, due to the different requesting organisations wanting to use the data, the gatekeepers need to ensure they’re doing this securely, otherwise this could compromise not only the gatekeeper, but the entire open banking system. The legislation has led to an explosion of new challenger banks, technologies and ecosystems to give consumers greater choice around who they use for their financial services. It also enables banks to access similarly innovative services, as well as potentially more customers and channels.
However, despite rising popularity of open banking, different regions have taken fundamentally different approaches. The European Union has chosen a more regulatory approach to open banking, passing PSD2 to level the playing field.
Despite the activity within Europe around open banking, it’s just one half of the story when it comes to innovating payments. Many forget the crucial other half of the equation: authentication. In this article, I’ll discuss why it’s vital that both open banking and authentication be considered in tandem if businesses are to truly meet the aims of PSD2 and foster digital trust.
What is PSD2?
The revised Payment Services Directive (PSD2) was introduced by the European Union to regulate payment services and service providers. First proposed in 2013, PSD2 aims to promote payment innovation, competition and efficiency across the EU.
The key objectives of PSD2 are to:
- contribute to a more integrated and efficient European payments market;
- level the playing field for payment service providers;
- promote the development and use of innovative online and mobile payment services;
- make payments safer and more secure;
- protect consumers;
- encourage lower prices for payments.
The two significant and intra-linked developments under PSD2 are: the liberation of account data (open banking), and the introduction of new, more secure authentication requirements (Strong Customer Authentication).
The first development under PSD2 requires banks to share raw account data with third-party providers, based on customer permissions. Application Programming Interfaces (APIs) allow third-parties to initiate payment transactions on behalf of the customer.
In the UK, the nine largest banks were originally mandated to share their data. But since then, many other banks have followed suit in recognition of the opportunity for market innovation, as well as the benefits it brings customers.
This development forms the basis of open banking, and it has seen significant uptake in other parts of Europe over the past couple of years.
The second major development under PSD2 is known as the ‘Regulatory Technical Standards’ (RTS) for Strong Customer Authentication (SCA). SCA aims to enhance the security of payments by introducing the requirement for stronger authentication and consumer protection to limit the potential for fraud. Payment service providers are required to apply the rules of SCA when a customer accesses their payment account online or makes an electronic payment.
Now we’ve covered exactly what PSD2 is, we can look at the challenges that come with it. They are two-fold:
- Opening up digital channels introduces risk
Open banking accelerates financial services innovation in every market it’s introduced to. As banks now must share their data with aggregators, this has also opened them up to numerous unsecure digital channels. However, because open banking journeys are orchestrated through redirect flows, this potentially exposes banks to countless unsecure digital channels.
So, users are redirected to their bank’s web login page or banking app to give consent when they need to authenticate their identity, authorise access to account information or initiate a payment. Traditional authentication mechanisms such as usernames, passwords and SMS One-Time Passcodes (OTP) add considerable friction to this process. And since they rely on analogue processes, they’re detrimental to the success of PSD2’s full objectives in the region.
- SMS OTPs are not a long-term solution
Widespread use of mobile phones has led to their adoption as a common authentication mechanism for transaction authorisation and identity verification. Typically, this comes in the form of an SMS OTP alongside a username and password.
Under SCA, the use of SMS OTPs is categorised as a “possession” factor, based on the possession of a SIM-card associated with the respective mobile number. SMS OTPs are typically used because it’s seen as an easy to implement solution – one customers are familiar with and know how to use.
However, it’s becoming ever more apparent that there are significant disadvantages to using of SMS OTPs for authentication purposes, namely:
- Security vulnerabilities
- Poor customer experience
- Cost implications
Whilst the move to multi-factor authentication is a welcomed enhancement to user security, approaches that rely on SMS OTP represent only the first stage in the evolution of digital authentication.
For the purposes of proving possession for authentication, alternative and more secure methods to SMS OTP exist.
In Europe, the EBA has recognised that approaches relying on mobile apps, web browsers or the exchange of public and private keys, can be used as evidence of possession. They must simply include a device-binding process that ensures a unique connection between the user’s app, browser or key and the device.
New technologies offer secure and reliable methods of device identification that are more privacy-preserving. It’s important that data being accessed from gatekeepers – such as banks – is done so in an secure manner. The use of behavioral biometrics in a securely bound device represents a stronger method of authentication than SMS OTPs.
This is something that European banks and retailers are now looking to implement as part of the 3DS2.0 roll-out. This approach should help reduce costs, risks and vulnerabilities, while at the same time enable seamless, frictionless authentication for e-commerce user journeys.