How banks can gain trust and reach full PSD2 compliance

The introduction of PSD2 marked the beginning of the emergence of a new eco-system for banks. It is designed to contribute to a more integrated and efficient European payments market. The payment directive aims to provide a level playing field for payment service providers (including new players), make payments safer and more secure and protect consumers.

In order to create a more level playing field, PSD2 demands banks to grant third parties access to their customer accounts. Due to access to accounts (XS2A) in PSD2, banks face the risk of losing the direct relationships with their customers and therefore of being reduced to the role of basic infrastructure providers – and this could result in a drastic cut in their revenues. Banks have to overcome these concerns by gaining their clients’ trust through extraordinary services. To build these services, they have to innovate faster. Here, PSD2 not only points them in the direction of Open Banking, but also is likely to inspire banks on the field of innovation and the creation of connected omni-channel experiences.

Important steps to reach full PSD2 compliance

In order to reach full PSD2 compliance banks should manage the following steps:

  • They need a Strong Customer Authentication (SCA) approach. According to Article 97 of PSD2: “Member States shall ensure that a payment service provider applies strong customer authentication where the payer: (a) accesses its payment online; (b) initiates an electronic payment transaction; (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.” More than strongly authenticate the customer, this approach will be crucial in the capture of his consent (key notion in the GDPR regulation as well).
  • Manage an authentication reset process. With the more frequent and versatile use of the banks’ SCA solution across different TPP driven solutions, the banks issuing SCA should anticipate a higher load on their customer care processes as well as more attempts on social engineering.
  • They have to size the problem of handling the API calls into their core systems. Any good business needs to be prepared for success. But with PSD2 and TPPs accessing the banks’ systems via APIs, banks also need to prepare for successful TPPs – and even for TPPs that by mistake (or by design) generates high load on the APIs.
  • Stress testing the systems is also very important to make sure the bank is not inadvertently opening up security holes with the new digital payment channel. It cannot be emphasized enough how important it is for the banks to prepare carefully for any possible security incidents that might occur as a consequence of the new PSD2 requirements of XS2A for TPPs. The banks’ IT departments should team up with the internal PSD2 experts as well as with external PSD2 service providers – like equensWorldline – to think through all possible risk scenarios that PSD2 services might inflict on the bank.
  • Banks need to figure out how to identify the TPPs. The large number of expected new encounters between banks and TPPs going forward raises some complex questions. How will the banks be able to authenticate in a sufficiently secure way that the TPPs are who they claim to be, and that they have the rights to gain access to a certain bank customer’s account? Clearly the banks cannot jeopardize security by opening up to TPPs unless they are absolutely certainty of their identity.
  • Figure out how transaction settlements are made. As there is no governing scheme in place for Payment Initiation Service Providers (PISP) initiated payments – except the SEPA scheme managing the credit transfer – banks must decide for themselves how to handle the request for settlement of the transactions. This includes adding and storing sufficient transaction data (and metadata) to handle monitoring, as well as disputes and claims, efficiently.

PSD2 requires enhanced security to gain trust

With PSD2, the infrastructures of banks will be opened up to external parties. But the more parties gain access to account information, the higher the demand for controlled access and security will be. This is why the above-mentioned step of an SCA approach is essential here.

In general, there are three factors to identify yourself when making an electronic payment: something that you know (such as a PIN code), something that you possess (such as a telephone) and something that you are (such as a physical characteristic). Under PSD2, the Regulatory Technical Standards (RTS) for SCA requires that one’s identity has to be verified with least two of these three independent options in order to perform a payment. This combination creates a unique authentication code which dynamically links the transaction to a specific amount and a specific payee (for remote internet and mobile payments).

Secure and user-friendly

These measures are necessary to protect the consumer, but at the same time PSD2 obliges banks to offer a smooth user experience. This means that the security measures need to be compatible with the level of risk involved in the payment service, in such a way that the right balance is struck between security and ease of use.

The responsibility for applying SCA lies with the banks. So, it is up to them to comply with these new rules. At the same time, they are obliged to ensure that their authentication services are fully resilient, and to provide a backup user interface for TPPs in order to prevent any downtime and the resulting impact on customers. The biggest challenge, however, is that banks should consider what all of this entails for their resources, costs, customer experience and brand reputation. They should weigh up all the options to achieve compliance whilst protecting relationships.

Mathieu Barthélémy has been working at Worldline in Digital Banking teams for 10 years. He started as a software engineer before spending a number of years as a team leader in Mobile Banking Apps. Interested in topics such as user experience and customer journey, he then joined the business development team. Nowadays, Mathieu works as a product manager on the Digital Banking Platform, a solution designed to support Worldline’s customers in their Open Banking strategy.

Related reading