Global Banks Should Not Ignore Europe’s Payment Services Directive 2 (PSD2)
Payment Services Directive 2 (PSD2) is a new EU banking/finance regulation coming into force in January 2018. It is designed to shake up the finance sector — perhaps even designed to weaken the overall strength of the banks following the 2008 crash. While being European in origin, American and other global banks should not — and perhaps cannot — ignore it.
The banks are considered to be too powerful and monolithic with sole and complete ownership of their customers financial data. The European bureaucrats want to introduce some competition. Their chosen route is to force the banks to provide APIs that will allow third-party apps to access customer data and provide new services not currently offered by the banks. The bureaucrats then believe third-parties will re-invigorate the payments and finance markets for end users.
There are enormous difficulties for the banks — for while they are required to give third-party access to customer data, they will remain liable for the security of that data under the General Data Protection Regulation (GDPR).
Consider if this is done via a social media organization. That organization will build an app that provides access to, and uses, its customers’ financial data. The banks can authenticate the social media organization; but the social media app authenticates the user. It is possible, then, that access to customer financial data will be controlled only by social media logon; and that will almost certainly be less secure than the multi-factor and behavioral security measures that many banks currently use.
But where there are problems, there are also opportunities. The banks that provide effective and efficient APIs could attract new customers from banks that provide poor APIs, all coming from the quality of the third-party apps that use those APIs. As Steve Kirsch, CEO at Token, told SecurityWeek, “In general, when you see a new unstoppable trend, the biggest winners are generally the earliest adopters.”
There are two reasons for American banks (and other global banks) to conform to this new European regulation. Firstly, American banks with a European operation will be required to do so. Secondly, European banks with an American operation will bring their APIs with them. Since the customer will be the biggest winner in this new world of open banking, American banks not offering a similar service will be at a disadvantage. “American banks should be rushing to implement open banking on their own,” says Kirsch. “It is a major step forward for banking.”
The GSM Association (GSMA: the trade body that represents mobile operators with more than 1000 full and associate members) agrees that US banks should get involved. “It should not take a law for American banks to take up PSD2 principles,” Marta Ienco, head of government and regulatory affairs at GSMA Personal Data, told SecurityWeek. “Instilling consumer confidence that money is safe, with fewer clunky security measures, will mean more customers want to use their service and trust the company.”
GSMA believes that mobile banking is inherently secure. “Operators can leverage user data such as location, account and usage history, which in turn can be used to help verify transactions. Moreover,” added Ienco, “this rich data can also help minimize instances of account takeover fraud. So, if someone tries to change the mobile number associated with a bank account, the operator can determine if the original mobile number is still in use, and use it to alert the customer to any suspicious changes to their personal details.”
Like many regulations, PSD2 describes what must be done, but not how it can be achieved. This leads to difficulties for both the third-party app developers, and for the banks themselves.
For the developers, it does mandate 2FA; but that is about all. While there are some de facto API standards, such as REST and OAUTH, there are is no standard for the PSD2 banking APIs. “The APIs for different banks could all be completely different in how they work, how their authentication is achieved, and so on,” explains Andrew Whaley, VP of engineering at Arxan Technologies. “The practical problems for an organization trying to consume these APIs (such as a social media organization, or whatever) means that the third-party potentially has to build a different adapter for every different bank.”
For the banks, one difficulty will be in maintaining their own strict authentication requirements. “PSD2 is clear that the banks are still responsible for the customer data ownership, and the safety of the data,” explains Whaley. “So, if the third party gets hold of the data, and its access controls are not particularly strong and someone else gets hold of the data, accidentally or deliberately, the bank is still liable for the third party’s failure. The only way the banks can counter this is to bring the technology and countermeasures they already have in their own apps to bear in this space and force their own authentication standards through the API so that they have direct communication with the customer before the third-party can get access to the data.”
GSMA agrees that the banks are caught between PSD2 and GDPR. “If banks aren’t completely certain of the provenance of a request, and decline a request from a service provider, they could be in violation of PSD2. But if a data breach then takes place, they could also become liable under the rules of GDPR, also coming into effect next year.”
PSD2 is a done deal and will come into effect in January 2018. European banks cannot avoid it, and American banks with a European presence (that is, European customers) will need to comply for those European customers. However, the global nature of big bank operations means that PSD2 APIs will inevitably come into play in the US. When that happens, US banks unable to take part in the new world of open banking will be at a distinct disadvantage to those that can.