What is PSD2?
PSD2, short for the second Payment Service Directive, is an initiative by the EU to make modern banking more secure, open, and consumer-friendly. The EU has been rolling out the new policy directive over the past few years in an attempt to encourage banks to be more accessible to third-party services and to encourage them to implement improved security measures for customers.
In order to achieve these goals, PSD2 has laid out a series of requirements that banks have to meet, which includes things like creating open APIs, incorporating two-factor authentication (2FA), and more. All of this technology already exists, but as yet has only been implemented to varying degrees. PSD2, however, has made their implementation a legal requirement.
This process has been a staged one. Over the last few years, the EU has been enforcing new regulations on the banking industry to encourage the use of the technology piece by piece. Initial results have been very positive. Thanks to the PSD2 directive, there have been large strides in moving banking innovation and security forwards. And, with the directive still in its infancy, this is only likely to continue over the coming years.
Two newly regulated services
One of the key aspects of PSD2 is to regulate an industry that has traditionally been considered separate from the banking sector, and that's account information and payment initiation service providers. As of early 2018, these kinds of institutions are now regulated under PSD2 just like banks.
Account information service provider (AISP)
Account information service providers, which we'll call AISPs from now on, are businesses that collect a consumer's information from several different financial institutions and consolidate them into one place.
For example, if a person uses Bank A for their checking account, Bank B for their short-term savings accounts, and Bank C for their joint accounts, an AISP would collect the data from the three different banks and present it in a single application.
This kind of service gives consumers a reliable overview of their finances, allowing them to interact with multiple banks without overcomplicating their money management. Common examples of these include apps that help consumers set and follow a budget, check their credit, and track their spending. Some banks are now developing services to show account information across all banks in one single dashboard. This change is likely to make banking a much more unified, and user-experience friendly, service for both private and business banking.
The other main service that AISPs provide is using an aggregate of a person's financial information pulled from different institutions and using that information to make the process of obtaining a loan more efficient.
Payment initiation service provider (PISP)
Payment initiation service providers, known as PISPs, are another third-party service that makes purchases on behalf of consumers. A helpful way of thinking of these two services is that AISPs are read-only (they can't affect your financial information, only display it) while PISPs is read-and-write (they can move funds to and from your accounts).
One of the most popular kinds of PISPs right now are overlay services like PingIt and PayM, which act as a middleman between a person's bank account and a business/individual they are making a purchase to. Another common example is automatic savings services, which move a small number of funds from a person's accounts automatically to help them reach savings goals.
When someone makes a purchase/transfer using a PISP, the PISP communicates with the person's bank, requests the necessary amount, and then sends that amount on behalf of the consumer.
Download the PSD2 Brief Introduction Infographic to learn more about PSD2.
Keeping AISPs and PISPs secure
Before these kinds of services were regulated under PSD2, the security and validity of these services were difficult to determine. Which is serious, considering that they have access to one of the most sensitive aspects of the lives of consumers.
Under PSD2, however, these services are required to implement strong customer authentication (SCA) and APIs, both of which have made these services faster and more secure.
However, both AISPs and PISPs create extra vulnerabilities in every transaction. Not only are a consumer's bank and the merchant they're purchasing from potential risk points, but so are the connections from the bank to the PISP/AISP and the PISP/AISP to the merchant. So, with these extra vulnerabilities, how can banks ensure that their customers' assets are as secure as possible?
How JT can add extra security to AISP and PISP transactions
JT can play a role in securing both AISP and PISP transactions.
When it comes to AISPs, JT, working in partnership with the UK Mobile Network Operators, provides access to MNO data in real-time, enabling checks for KYC initiatives (Know Your Customer) that ensure the individual accessing a person's data is whom they say they are. On the PISP side of things, JT can check for SIM swaps and pair this with geographical information of the consumer before approving the transaction. This means that fraud attempts would be stopped before they have the chance to start.
What is open banking?
Open banking is another one of the key initiatives under the PSD2 regulations. Open banking is when banks and other financial institutions grant access to other financial institutions through APIs. APIs are software that allows one service to securely communicate with another.
Before open banking initiatives, the way that several applications would gather data from one another was through screen scraping, which is when the user gives their login information from one service to another, and then that service pulls the information it finds and uses it accordingly. Screen scraping is a poor way to send information between services, as it poses a serious security risk and doesn't always provide the scraping service with the reliable or desired information.
Open banking, on the other hand, creates a handshake of sorts between financial services, increasing the security, speed, and reliability of these interactions. And since it makes it easier for third-party services to utilise your financial info, it opens the door for more startups and industry competition. Third parties can now create products and services based upon access to bank information, which, whilst an important development for innovation, poses new challenges for keeping customer data safe.
Using JT for open banking fraud prevention
Like AISPs and PISPs, open banking provides consumers with far more financial services than ever before. However, each of these services is a potential vulnerability in a consumer's financial structure. Preventing open banking fraud can be difficult as a bank. Even more so since the new PSD2 regulation changes have made it obligatory to opening your customers' banking information to third party providers.
JT can help you keep third party interaction secure without reducing your customers' ability to choose between different services.
As a bank, it can be challenging to tell the difference between a legitimate transaction and a fraudulent one. JT makes this easier by providing banks with identity verification that can be used as part of the interaction with third party services. JT provides access to cross operator network and virtual mobile network operators in real-time, bringing an innovative suite of products to enable the provisioning of creating a risk profile of subscriber information from the aggregated operator data sets.
How SCA and PSD2 will enhance payment security?
Strong customer authentication (SCA) is an EU regulatory requirement established to reduce the risks of fraud in consumer transactions. It requires financial institutions to incorporate two-factor authentication (2FA) into every online transaction. 2FA, as the name implies, uses two pieces of data from a consumer to verify their identity. These pieces of data must be one of the following:
- Something the consumer knows. This could be a password, phone number, or answer to a security question.
- Something the consumer has.This could be a smartphone, hardware token, or physical ID.
- A form of biometric data. This could be fingerprint or facial recognition.
SCA is something that financial institutions are already expected to have implemented as part of the PSD2 regulations.
Industry regulations are now starting to be enforeced, a recent examples under the General Data Protection Regulation (GDPR) saw BA being fined £183 MM and Marriott Hotels being fined £99 MM for data breaches make it clear that the grace period for implementing industry regulations is long over.
What is JT's role in Strong Customer Authentication (SCA)?
While SCA is a great step towards increasing consumer security, it isn't fool-proof. Of the three options for 2FA available, only one of them - biometric data - can't be fraudulently (or remotely) accessed by hackers. Passwords can be learned or changed, and smartphones, tokens, and IDs can be stolen.
A good way to think of SCA is as the required minimum. It's far better than not implementing it, but it doesn't guarantee your customers' security. And that's where JT comes in.
Possibly the biggest vulnerability with 2FA is with SMS verification codes, which are also one of the most common forms of SCA. This is when a consumer is sent a verification code to their smartphone after entering their password, which they must then enter online to gain account access.
The problem with this is that hackers can carry out a SIM Swap to port a person's phone number onto a new SIM that they have. Then, when the verification code sends, they'll be able to gain full account access.
JT can prevent these kinds of attacks from occurring by checking for a SIM Swap, before a one-time password is delivered to the device. In addition, we can supply a secure path for delivering critical and time-sensitive traffic using our 300+ direct operator agreements via our SMPP Messaging Hub.
As with all of JT's security features, this happens instantly during every 2FA interaction, so your customers will never notice a delay. Unless, of course, JT discovers that the SIM has been swapped.
How to cope with the new risks that PSD2 will bring?
While the majority of the PSD2 changes are set to make the banking and finance industries more secure, they're also requiring financial institutions to open up their data and implement new technology, two things that open the door for potential abuse. Some of these risks include:
- Making sure that third party providers are legitimate
- Keeping customers secure even as open banking creates new access points to consumer data
- Ensuring that every strong customer authentication interaction is as strong as possible
In order to address these risks as quickly and effectively as possible, banks would be best served by partnering with experienced security providers. Providers like JT have the industry expertise to navigate the changes being implemented by PSD2 while maintaining your bank's security and your customers' faith in that security.
Another important facet of keeping your service as secure as possible is by educating your customers on these changes, what they mean, and how it could affect them.
Encourage your customers to keep their contact information up to date and make strong passwords a requirement. This is only going to more important as time goes on, particularly as mobiles become an increasingly key medium to deliver sensitive information.
How to identify and authenticate Third Party Providers (TPPs)
One of the major risks that banks are going to face as they begin opening up their data through APIs is third party providers (TPPs) who are either not within PSD2 regulations, are following PSD2 regulations with low-tier security, or are simply fraudulent. Not only do banks need to make sure that their own services are secure, but those of the TPPs they interact with as well.
JT uses aggregate data on TPPs to provide information on creating a risk profile score for every vendor. While the competition that PSD2 is going to promote is positive for the industry's growth, it means that there are going to be more financial institutions than most banks can reasonably keep up with. As open banking transforms the future of money, JT can provide access to MNO & MVNO data to ensure your business is as secure as possible during this transformation.
JT's role in PSD2
As one of the oldest telecom providers in the UK, JT has a unique and high level of insight that when it comes to mobile security. By leveraging this insight, JT can keep banks and customers secure from the rising risk of mobile fraud, the new vulnerabilities being brought about by PSD2, and the potential for fraud among TPP startups.
JT can provide banks with encrypted SCA services that offer additional security checks (like checking for SIM swap fraud) before any sensitive data is ever sent. A key element to creating a complete view of the market is providing access to MVNO data – this means that SIM level information can be procured across all corners of the market.
The new PSD2 regulations are exciting for the industry, but also bring new challenges as they create security concerns that most financial institutions have never considered before. If you're looking for a way to keep customers secure during this transitional period and beyond, considering partnering with an experienced security provider like JT.
Learn more about JT Fraud Protection Services by downloading the overview pack below.
If you have any questions, please feel free to contact one of our FPS experts. |