The EU’s PSD2 directive (a revised payment service directive) aims to regulate electronic payments in EU member countries. It has no impact on traditional paper-based transactions.
The aim is to allow open banking, where cross-border transactions are easily performed, cheaper and involving any number of fintech providers (think digital wallets, payment gateways, and online shopping). Any organization engaged in the process, from the banks themselves to payment providers and account information services (credit checks and data processing) must incorporate strict security, transparency and protect users’ rights. As expected, the full details of PSD2 are long-winded and packed full of legalese, but it does seem to be an effort to regulate the electronic payment industry, at least within the EU.
However, in an industry already a long-term target for cybercriminals, is data sharing with all approved EU banks and fintech companies wise? Will PSD2 change banking processes for European companies? How can companies reduce risk and protect their financial data and related transactions?
Open banking advocates believe increased competition has its benefits.
“Open banking is allowing new players to offer join the field and offer new services with the additional benefit of fostering innovation. These improvements are always a step forward for the industry and its end users,” said Don Duncan, security engineer at NuData Security, a biometrics and behavioral analytics company based in Vancouver.
Others say it’s a mixed bag and not necessarily positive.
“With open banking, banks are facing a huge disruption. Whether this is a positive step really depends on how you react as an organization. There needs to be a corporate-wide strategy to address open banking in the right way,” said Felix Rosbach, product manager for comforte AG , a global provider of enterprise data protection solutions for the digital economy.
Data Sharing And Risk
By making APIs available to fintech companies, banks are embracing technology, but it is their best interest to do so? As Rosbach pointed out, with the implementation of PSD2, new payment methods and services are evolving in the payment environment. Customers will judge their bank on how flexible it is about adopting these new services. Therefore, banks will need to implement APIs and new products to stay competitive. There is a higher risk in leaving the offering as is than in enabling fintechs.
“Third parties will be in a position to break the customer ownership of a bank as it is no longer the central point of contact for the customer. Traditional banks are at risk of becoming mere utilities. With that, banks lose their direct contact with consumers who use third party apps to manage their accounts or initiate payments,” added Rosbach.
Of course, when access to data is shared (regardless of adherence to security) risk is increased and IT teams in the financial sector must embrace enhanced data security, especially financial and transactional data. Whether data is in at rest (in storage) and in motion (on its way to another storage location) via API or other proprietary method, only a managed file transfer solution can secure all aspects of the data journey. In addition, standard file transfer protocol (FTP) is unable to satisfy compliance with applicable standards and legislation. Standard FTP also lacks an audit trail.
Integrating Legacy Technology With Traditional Infrastructure
Whether in or outside the financial sector, it is likely that your organization has a relationship with more than one financial service provider and with PSD2 encouraging cross-border collaboration, these numbers are set to increase, at least in a transactional sense, as payments are made from multiple sources from different EU countries. When third parties are able to access and query financial databases via API, is there increased risk?
“Third parties are not always trustworthy (even if they appear to be) – they could be hacked and sometimes there is a high risk that those third parties are bad actors themselves. Therefore, it is crucial for banks to a) implement strong authentication processes and b) protect account data in best possible way – using tokenization for example,” said Rosbach.
An interesting observation. If a third party is hacked through a bank’s API, who is responsible?
Open banking comes with unseen IT security risks.
“It’s not only that banks need to implement APIs that enable access to a huge amount of sensitive bank account data – which is a risky and complicated thing in and of itself,” said Rosbach, adding that a lot of banks have legacy technology in place. This is especially true for core systems like transaction and account management.
“Whenever you try to pair the latest technology with traditional systems you end up in trouble. Either you exchange the legacy application, or you find middleware or implement complex infrastructure to enable this transformation. Most banks decide to do the latter. Both options hold huge risks in terms of security – as it complicates the existing architecture and opens up your system to new vulnerabilities. Now share this patchwork system, which holds the lifeblood of your company in terms of data, with the internet and allow access to it for third parties. Sounds like a cybersecurity nightmare, right? It is,” said comforte’s Rosbach.
So, risk is present, but companies must still decide if and how they will incorporate electronic payments into their operations.
Perform Due Diligence
Companies involved in payment processing or holders of related data must follow certain rules, which are summed up nicely by NuData’s Duncan.
“Any company who plays a role in protecting user accounts and their data, regardless of the step of the process or how minimal it may seem, needs to make sure their services are offered putting security and privacy first.”
“Today, technology has evolved enough that security doesn’t mean unsurmountable walls but rather sophisticated tools that can seamlessly detect changes in an account system or environment. These technologies include, among others, physical and passive biometrics and enhanced device intelligence,” added Duncan.
Companies seeking fintech service providers to optimize payment processing or to reduce costs shouldn’t rely just on compliance with regulations such as GDPR, pointed out Rosbach.
“…compliance isn’t equal to security – so make sure that these partners share your [security and privacy] policies. Furthermore, partners should be able to offer their service sustainably – as implementation usually needs a lot of time – especially with legacy technology on the side of banks,” said Rosbach.
Therefore, if you’re offering a fintech solution, seeking a fintech partner or offer payment processing, perform some research. Check user reviews (although these can be faked), press releases (generally a company bias) and other information on your shortlist of providers. In many cases, referrals from industry contacts are often of more benefit that biased reports. Support pages are another option. What are users complaining about?
In conclusion, companies should embrace new technology but only if it offers a real benefit to your operations. Your financial data is valuable, so choosing who has access to it is worth doing carefully. Electronic payments are necessary and growing in volume each year.
Like it or not –and I must admit I prefer to use cash where possible, as there are no data points created for further analysis by all those that are spying on me (an endless list of online snoops)… electronic payments are useful.
“The future is cashless. And that’s not because the government won’t allow us to use cash anymore. It’s because it’s more convenient. Cash won’t completely disappear in a few years, but with more and more sectors of our economy undergoing a digital transformation, digital ways to transfer money (or let’s say assets) are what will define our future. Could be open banking – could also be a (caution: incoming buzzword) distributed ledger using blockchain,” said Rosbach.
What do you think? Is open banking the way forward, despite the identified risks or is better to stick with improved services from your own company bank? Or both? Whatever you choose, data privacy and protection is the key deciding factor... Are you prepared?