Open Banking, PSD2, and Strong Customer Authentication
Kevin Turner, VP Systems Engineering, EMEA
6 Min. Read | December 8, 2021
Regulations such as PSD2 and the UK Open Banking Standards have changed the ways consumers conduct transactions as well as how they think about and interact with financial service providers. Identity and authentication are central to this evolution. With open banking reaching U.S. shores, all financial services companies should understand the implications and impacts of the PSD2 authentication requirements as these will likely form the basis for regulations globally.
What Is Open Banking?
Open banking is a term used in general (and as a specific title in the UK) to describe the meeting of traditional banking and modern, data-driven fintech firms. The basic concept is that banks should give their customers greater power over how they use their banking data, such as sharing it with third-party service providers (TPPs) or creating single dashboards for all their finances.
Examples include allowing a customer to prove their creditworthiness to another institution by automatically providing access to accounts at other banks or facilitating purchases and transfers directly from their bank account rather than dealing with a complicated procession of intermediaries.
Open banking adoption accelerated under the COVID-19 pandemic, with use tripling in the UK. However, uptake globally has been slower, which can be attributed to several factors. These include lack of customer trust, lack of consistent, robust guidelines and the difficulties in deploying the security necessary to protect customers' private data. With that in mind, let's review the best current example of what open banking will look like in the medium term, as outlined by the PSD2.
What is PSD2?
The Revised Payment Services Directive (PSD2) is the regulatory framework laid out by the European Commission for the future of payment and banking services, including open banking. PSD2 aims to deliver greater integration of banking and services across the numerous national jurisdictions, thus creating more competition, making payments more secure and delivering improved customer outcomes.
There are several prominent open banking elements addressed in the PSD2, such as:
Account Information Services (AIS): This refers to collecting and storing customer data from multiple accounts in a single location. AIS allows fintech startups to enter the market catering to specific user needs, such as budgeting, doing tax returns and avoiding excessive fees.
Payment Initiation Services (PIS): This directive allows customers to perform transactions to a vendor directly from their bank account rather than having to go through an intermediary payment provider. The reduction in layers to payment processing makes things easier for users while simultaneously reducing costs by cutting out providers that charge a per-transaction fee.
Data Provision APIs: Banks and other financial institutions are directed to provide relevant data in a standardized format through APIs. This removes the need for customers to share more personal information, such as login details, and enables them to maintain complete control over what they share while improving the security of data exchanges.
Third-Party Providers (TPPs): A core thrust of open banking and PSD2 is creating a more vibrant, innovative and competitive finance and banking market. By opening the field and forcing banks to cooperate with fintech startups, hundreds of new firms have been created that offer diverse financial services to customers. These include simple money trackers and advice apps, and more complex apps that automatically enroll users in the cheapest utility or insurance provider or switch money between accounts to avoid being penalized by overdraft fees.
Open banking and PSD2 are a vision of the future of banking, but none of it can exist without robust security protocols. That’s why PSD2 authentication requirements demand that Strong Customer Authentication (SCA) underpin all account access and data exchanges.
What is Strong Customer Authentication?
To provide the security necessary to protect the higher volume of data exchanges and customer payment instructions under open banking, the PSD2 requires most customer actions to be protected by Strong Customer Authentication. These include accessing a payment account online, transacting an electronic payment, or any action through a remote channel that carries a payment security risk.
PSD2 defines Strong Customer Authentication as:
“Authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”
Put differently, these PSD2 authentication requirements call for multi-factor authentication (MFA). Access can no longer depend on a single password or a password plus another knowledge-based factor such as a PIN.
The PSD2 Regulatory Technical Standards (RTS) contain several other directives on how Strong Customer Authentication should be implemented, including a requirement for separated secure execution environments for actions performed on mobile apps. This means that many traditional two-factor authentication (2FA) approaches do not meet SCA security requirements. The standards also specify that authentication codes generated by SCA need to be dynamically linked to the transaction details, such as the payment amount and the receiver involved in a transaction. This protects against man-in-the-middle attacks where a cybercriminal may intercept the transaction and change its details.
These features are all mandated to keep users secure and place the burden of security firmly on the shoulders of financial institutions and fintech app developers.
For financial services providers, however, PSD2 authentication compliance not only creates an implementation challenge, it can create business obstacles. Extra authentication steps can lead customers to abandon transactions or seek more user-friendly providers.
Achieving Strong Customer Authentication with HYPR
Complying with PSD2 authentication requirements is necessary for banks, financial institutions and fintech startups that want to do business in the EU. However, with the increased move towards open banking in other markets, including the US, India and Asia, some form of Strong Customer Authentication will eventually be applied across all open banking activity.
While fraud prevention and secure access are critical, the user experience may be what ultimately determines a financial institution’s market success or failure.
HYPR’s True Passwordless™ MFA solution allows businesses to comply with relevant PSD2 authentication requirements while simplifying login for their customers. Our solution is inherently multi-factor, combining a strong possession factor with device native user-inherence factors. Organizations can also enforce step-up authentication policies based on a combination of factors such as Face ID and decentralized PIN.
HYPR supports the PSD2 dynamic linking and digital signing requirements by sending a signed response with a unique cryptographic link to the transaction amount and payee as a transaction is processed. It also ensures that cryptographic operations are performed within the device’s secure execution environments, fulfilling another Strong Customer Authentication requirement.
HYPR has already helped major payment providers, banks, insurers and eCommerce corporations make the move to FIDO Certified passwordless authentication, enabling their adoption of open banking and compliance with PSD2 regulations. To find out how we can help you create a more secure, streamlined authentication system and ensure compliance, reach out to our team.