The implementation of the EU’s Second Payment Services Directive, better known as PSD2, is now complete, with all countries within the bloc required to have enacted its provisions into their national law as of January 13th this year.
However, this does not mean the work is done, as there are still additional stages related to PSD2 that are still to be implemented later this year – specifically those related to customer authentication and fraud prevention.
Technical standards set to come into force
At the heart of this are the updated regulatory technical standards (RTS) governing strong customer authentication (SCA). This has a crucial role to play in ensuring that PSD2 standards are secure in an environment where banking services are being opened up to a significant number of new players.
The RTS includes instructions as to what is considered strong authentication, including the use of multiple factors across three different elements, namely knowledge, possession and inherence factors.
One of the most critical decisions for financial institutions when it comes to ensuring they are compliant with the rules will be how they interpret these guidelines, and what authentication measures they provide.
Ensuring strong customer authentication
PSD2’s rules require banks to use two or more elements, which must be independent from each other, though certain transactions will be exempt from these requirements if they are deemed to be low-risk, low-value or use specific secure channels. Therefore, it will be essential for financial institutions to identify when they need to include SCA, as well as what form it should take.
It’s likely that most banks will use a knowledge-based method such as a password or a PIN for one stage of their authentication, as this is both familiar to customers and easy to implement. But for the second, there will be many factors to consider when making a decision.
For example, using a possession-based authentication factor, such as sending a one-time code via SMS or issuing customers with a dedicated dongle, may provide a good solution, but banks should consider the risks involved if the user loses their device, as well as the potential for issues such as SIM-swapping to bypass a mobile phone solution. Meanwhile, inherent factors – usually biometrics – may be more secure in a perfect world, but is the accuracy of today’s technology good enough?
Reducing fraud in an open banking environment
With countries around the world – not just those covered by the jurisdiction of PSD2 – moving towards open banking environments, these changes will inevitably bring with them new fraud risks as criminals look to adapt their tactics and take advantage of any weaknesses in the new landscape.
The potential for increased access to accounts and financial information through APIs will be an ongoing issue that banks will have to pay close attention to in order to keep their customers safe. At the same time, the rollout of more instant payments services – which is not a direct result of efforts such as PSD2, but could take advantage of wider access to payments – will also need to be a focus areas, as real-time payments demand real-time fraud prevention strategies.
The coming months will therefore be a critical test for banks’ fraud programs as PSD2 and other open banking initiatives take hold. In many cases, it remains to be seen what impact these initiatives will have on fraud rates, but by being proactive and focusing on strong authentication, financial institutions can minimize their risk.
For more information on this subject sign up for NCR’s upcoming webinar, Critical Fraud Monitoring Controls Vital in the World of Open Banking,live on May 17th at 09:00 EST. If you can’t make it then, it will be available to watch again on demand.