Given the value of the assets and the data they maintain or share, it’s understandable that banks may feel exposed by PSD2 from a security perspective. Frederik Mennes, Senior Manager Market and Security Strategy, Security Competence Center, at the digital security product company Vasco, sees the Second Payment Services Directive (PSD2) as an opportunity, rather than a risk.
Given the value of the assets and the data they maintain or share, you can understand why banks may have felt exposed by the concept of the PSD2 from a security perspective. Yet there is comfort in knowing that the pressure to ensure transactions are secure is set to drive regulation in areas that haven’t been regulated up until now. It is my view therefore that banks can take some comfort from knowing that PSD2 will be a positive driver for change here, bolstering security rather than compromising it.
But is that enough to assure the banks? By opening up their APIs to Third Party Payment Service Providers (TPPs) – usually fintech companies – financial data that is currently owned by the bank will now be at the disposal of fintech companies. That means that banks’ ‘safety perimeters’ will extend beyond their own organisation and encompass a fintech’s, too. The concern here is that if a fintech is exposed to a security issue, this may have an effect on the bank as well. To address this, I suggest that banks should adopt a number of technical and organisational security measures to address potential threats against their APIs, such as using transaction risk analysis to detect fraudulent transactions and incidents at TPPs.
A further positive factor to consider is that there is no way an industry as heavily regulated as the financial services sector would allow just anyone to offer Account Information Services (AIS), which gives customers an overview of their accounts at several banks, or Payment Information Services (PIS), which enables customers to make transactions from different banking accounts. Under PSD2, fintech players new to the market will have to meet rigid security requirements before they proactively offer their services; this validation process should preclude ‘cowboy’ operators from setting up, thus giving banks and customers peace of mind.
Is everyone a winner?
Beyond the security implications banks need to contend with, they may also feel that PSD2 is an initiative designed to favour fintechs. Indeed, it could be argued that they’ve got good reason to feel aggrieved. First, they have to share a lot of their data with a third party. Second, because of how customers will interact with fintech applications, banks may raise concerns that they are being pushed to the background and will therefore lose the essential contact and loyalty they have spent years building up with their customers.
There is of course an upside though, and there’s a solid case to be made for stating that banks will benefit more from PSD2 than the fintech companies will. If banks also act like an AIS or as a PIS, they can have an insight into the bank accounts of other banks, or indeed develop their own apps that can perform transactions for several banking accounts respectively. In fact, my advice to banks would be to use PSD2 to their advantage, and act in the capacity of an AIS or PIS; other banks can’t refuse to give access to their data, since that’s the whole idea behind PSD2.
The banks
Of course banks won’t relinquish full control to AIS or PIS to fintech companies as there are a number of robust mechanisms in place to protect the banks’ position. To start with, the bank decides which authentication method is needed to access a Fintech application. If, for example, you use two factor authentication combined with a one-time password to log on to your bank account, you will also need it for the fintech application. This means that banks have a lot of say in – and retain a lot of power over – matters relating to security. The balance of power also swings in favour of the banks with respect to customer satisfaction too, as fintech companies can only request financial data from the bank a maximum of four times per day. That means that they cannot show customers accurate real-time data, as there will always be a delay. From a customer’s point of view, this makes the app look less relevant than perhaps the bank’s own in-house offering.
I believe that PSD2 will present some initial challenges, just like any new initiative does. But I am also confident that the security risks aren’t as great as the significant opportunity that’s presented by PSD2 to banks, TPPs and customers alike.
