Now that banks and others in the financial services industry have had time to absorb the final Regulatory Technical Specifications (RTS) on strong customer authentication under PSD2, some may be wondering: What do we do now?
To be sure, PSD2 is set to accelerate the pace of disruption. Among other things, it mandates that banks open their payment account data to third parties through APIs, and to securely authenticate the account access and payment authorizations made through them.
For banks, success in the era of open banking is predicated most on their role as providers of secure authentication—as mandated by the RTS.
Financial institutions must consider the following five factors when it comes to RTS implementation.
Think Beyond PSD2
Deploying solutions to meet the strictures of the RTS is a baseline requirement, but systems must also be flexible enough to accommodate change as the market evolves.
PSD2 will have such a transformative impact on so many facets of the industry, there are bound to be modifications along the way. That includes the need to modulate against new innovations from cybercriminals seeking to maintain and build upon the revenue streams they presently generate now that one in every three fraud attacks is successful.
The RTS calls for Strong Customer Authentication (SCA) for purchases above EUR 30, and a cumulative limit of EUR 100 on five consecutive payments. There are also exceptions up to EUR 500 if the merchant’s payment service provider meets stringent fraud rates. For everything else, RBA is allowed for faster payment.
The rub, so to speak: friction like that caused by SCA can result in a 4% loss in sales and overall transaction volumes—cutting into revenues for both banks and merchants.
Financial institutions will want to deploy digital identity systems for seamlessly handling SCA and risk-based authentication. These solutions leverage dynamic digital identity intelligence, advanced behavioural analytics, adaptive policy engines and more to stop fraud at lightning fast speeds without user friction.
In perhaps its most significant directive, the RTS requires that mobile devices may be used as a “multi-purpose” devices for SCA and other applications, even if the payment service provider (PSP) only controls its own app or software on the device.
In fact, multi-factor authentication can be achieved on the same devices so long as it operates separately and securely from the environment hosting the PSP’s application. Mechanisms must also be in place to ensure that neither the device or app has been altered—and to mitigate the impact if one or both has.
Remember: Context is Everything
The European Banking Authority (EBA) states that users’ previous spending patterns, transaction history, and location at the time of transaction must be used to identify anomalies in payment requests that may signal fraud.
These are just a few of the attributes used to evaluate the true digital identity of end customers in real time. Others include device ID, IP address, geo-velocity, user credential attributes, mobile device integrity and more.
Make Security the Mother of Invention
The same mechanisms banks must put into place to comply with open banking standards can also be used to optimise the APIs they develop to support innovation from internal and partner initiatives.
Using digital identity solutions, financial institutions can prioritise the customer experience and maximise the lifetime value of new and existing customers. All while leveraging global, crowdsourced intelligence to keep them secure.
Sure, there is always a chance the European Parliament will make modifications before approving the final RTS.
But any such changes are likely to be minimal, and the directive is still set to become law in 17 months.
That means the best time to get started was last month. The next best time is now.
For a more comprehensive overview over the regulatory aspects of PSD2 in the payments ecosystem, one may also check two whitepapers provided by ThreatMetrix:
PSD2: Opportunities and Solutions for a New Payment Landscape
PSD2: Guidance and Perspective on Updated Regulatory Environment
About Vanita Pandey
Vanita is the Vice President of strategy and product marketing at ThreatMetrix, the Digital Identity Company. Vanita is the Vice President of strategy and product marketing at ThreatMetrix, the Digital Identity Company. In this role, Vanita leads the strategic vision and go-to-market for ThreatMetrix products and solutions.
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,500 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
The Paypers. All rights reserved. No part of this site can be reproduced
without explicit permission of The Paypers(V2.3).