With the next phase of the second Payment Services Directive (PSD2) still set to take place on December the 31st, financial services(FS) organisations across Europe are running out of time to ensure compliance.
Intended to promote “the development of innovative online and mobile payments, more secure payments and better consumer protection” PSD2 is designed to “modernise Europe’s payment services”. This particular deadline will include a new regulatory requirement; Strong Consumer Authentication (SCA) – designed to tackle fraud and make electronic payments more secure. It represents an essential step towards increased consumer protection.
But, under this Payment Service Providers will become fully responsible for payments that are not correctly executed. Unless users of these services act fraudulently, or out of gross negligence, they will be responsible for refunding consumers. In order to avoid the potential financial and reputational damage that non-compliance would bring, FS organisations need to be prepared.
With the deadline looming, here are the thoughts of some industry experts:
Simon Marchand, Chief Fraud Prevention Officer at Nuance Communications
“The PSD2 not only seeks to reflect technological change, but to promote digital innovation by facilitating the market entry of new types of service providers. It aims to provide greater transparency over transactions in order to improve consumer protection and strengthen the security of payments.
“In order to achieve this, in its next round, the legislation will include a new regulatory requirement aimed at making online payments more secure; Strong Customer Authentication. This will call for the relevant parties to incorporate at least two of the following three elements: a password or PIN, smartphone or hardware token or biometric authentication. Today, organisations will be asking themselves, how do we maintain compliance and meet that December deadline while – at the same time – reducing friction for our customers?” The answer to that is, in our opinion, the “something you know” aspect should be avoided.
“PINs or passwords can be forgotten, often leading to a bad experience. Using technologies – such as voice and behavioural biometrics – makes for a seamless customer experience, whilst ensuring the highest levels of security. Users will not need to remember something specific and can simply speak a sentence to be authenticated. And their voice can’t be stolen, unlike passwords. Deploying biometrics provides an opportunity for FS organisations – and others that need to comply with the PSD2 – to clearly sign-point their commitment to tackling fraud and safeguarding their customers’ information.”
Alberto Pan, Chief Technical Officer at Denodo
“The next phase of the PSD2 will signify another important step in terms of increased consumer protection. However, for financial organisations needing to comply with the regulation, it’s likely to create some challenges.
“One of those challenges will come in the form of managing and controlling APIs. The PSD2 normative forces financial organisations to create open APIs in order to expose consumer data to authorised third-parties. These authorised parties can utilise the APIs to initiate payments from customer accounts and to aggregate customer’s financial data.With thousands of users and applications needing access in order to make these transactions, it’s imperative that these APIs are both secure and able to perform, especially with PSD2 making Payment Service Providers fully responsible for refunding consumers when payments are not correctly executed.
“However, ensuring this high level of performance and security using traditional methods can be a long and costly process, not helped by the fact that financial organisations often store data across many different disparate systems. This is where modern technologies, such as data virtualisation, could help. By providing unified data views across multiple data origins and automatically generating secure APIs to access them without needing to manually create complex custom codes, data virtualisation could be one answer for financial organisations looking to prepare for the newest chapter of PSD2.”
Monica Hovsepian Global Industry Strategist, Financial Services at OpenText
“The global pressure for open banking is clear. Regulatory bodies around the world are looking for ways to de-monopolise the financial industry to stimulate innovation and provide more options for consumers.
“The introduction of PSD2 means, with customer consent, their data is released in a secure, standardised form, so that it can be shared between authorised organisations online. The purpose is that this information can be used to make more relevant and personalised offers quicker when switching between banks, rather than having to build up a long history with each institution.
“Whilst the FCA recently announced an additional six month delay for PSD2 SCA enforcement, due to the exceptional circumstances of the COVID-19 crisis, PSD2 should no longer be seen as an option; it is something that is on the critical roadmap of every financial institution that wants to stay competitive.
“Globally, some traditional financial institutions are embracing open banking already, such as BBVA, Citi Bank and JPMC. However, others are at risk of falling behind. They are risking the unpleasant possibility of losing customers to newer or more agile competitors.
“They would be well served by embracing change and collaborating with new entrants to build a more open ecosystem. This requires incumbents to modernise legacy systems, develop open APIs for information sharing and easy integrations, and to embrace the new products and services that consumers expect. These changes are critical to expedite and increase engagements in the new digital and connected world.”
Jonathan Jensen, Director of Identity Verification at GBG
“The premise behind SCA is to protect consumers and merchants from fraudsters. But as with many good intentions, the outcome risks being something different. The danger the industry faces is that its implementation will lead to the three “F’s” – friction, frustration and fraud among consumers. And when this leads to abandoned transactions, merchants have a problem.
“SCA requires an additional level of authentication in certain ecommerce and online banking transactions, by providing two out of three elements; something you know, something you have, or something you are. (For example: a phone number combined with a one-time passcode or Face ID).
“SCA is usually implemented for ecommerce via 3DS v2.1 or v2.2. The way SCA is currently deployed for ecommerce typically involves sending a one-time code via text message or email to verify online purchases. However, regulators do not see this method as compliant, so alternatives like biometrics are required. One-time codes can likewise pose problems for consumers when there’s poor mobile coverage or limited WiFi availability, leading to a poor consumer experience overall.
“Furthermore, guidance being given by banks can be vague – I once received an email stating that when using online banking I would ‘sometimes’ be sent a code to login, and I ‘may’ be asked to use my card reader when carrying out certain transactions. This will likely leave many consumers wondering what’s legitimate and what’s a smishing (SMS phishing) attempt by a bad actor.”
“Dynamic linking between an authentication token for an individual transaction, a set amount and a named merchant is another SCA requirement. However, merchant names often do not exactly match within authorisation and authentication systems and final transaction amounts can vary. These variables can make dynamic linking a challenge.
“But it’s not all bad news; technology is helping to overcome these problems. Digital banks are already exploiting the smart functionality in their apps to present consumers with notifications that require a simple tap to authorise the transaction, combined with a biometric. And there’s technology available that seamlessly carries out the authentication on the consumer’s handset in the background, without them needing to do anything. Payment methods like Apple Pay, for example, don’t require any additional authentication and still let you pay with your usual debit or credit card, as the consumer has already authenticated via Face ID or Touch ID. Innovation will be crucial to the successful implementation of SCA, and ultimately, the ability of merchants and consumers to carry on transacting.”