In a previous post we talked about the advantages of adopting a PSD2 API standard to facilitate the exchange of information between Third Party Providers (TPPs) and banks, thereby contributing to the development of new services and supporting the supply side. However, in order to stimulate demand for these new financial services, the fact remains that the information security aspect shared between them is key to ensuring the widespread uptake of these services, in addition to other obvious factors such as their usefulness, quality and price.
There are certainly some less risk-averse users who are comfortable giving their banking credentials to providers. The vast majority, however, are reluctant to give "third parties" access to their account details or initiate a transfer of funds without extensive security guarantees. This is particularly true in the consumer segment, but also with SMEs.
Aware of this barrier, and given the undeniable sophistication of computer attacks, the text of the Directive and its associated Regulation Technical Standards (RTS) have placed the emphasis on strengthening security requirements in an attempt to achieve a degree of balance between security and the best "user experience". Below we summarise the safety mechanisms incorporated by the Directive.
Firstly, the Directive requires that payment service providers be entities authorised to provide new payment services such as Bank Aggregation and/or Payment Initiation. Among the providers identified are the so-called Payment Institutions (PIs), which must be authorised by the relevant national authority (the Bank of Spain, the Financial Conduct Authority in the UK, etc.) prior to providing the services. They must also be subject to regular oversight by the same body. Banks, meanwhile, must check the validity of both the authorisation and the digital certificates that accredit the identity and authority of the PI before supplying the information or initiating the payment. If they are unable to do so or there is no record of them, the bank will not hand over the information or initiate the payment transaction. To determine which PIs are authorised, the European Banking Authority (EBA) maintains a centralised register of currently authorised payment institutions. This is a public register that can be searched by any user before contracting the desired service.
Secondly, user consent (i.e. the express authorisation from the user to the PI) is required so that the PI can request account information from the banks or initiate a payment by bank transfer. This consent has a specific and time-limited scope (Article 67 of the Directive). Therefore, in the Account Information service, the user defines and determines the:
- Payment accounts that will be integrated into the service. It should be noted that, under the PSD2 regulatory framework (and under the Open Banking initiative), it is not currently possible to access information from products other than payment accounts, such as fixed term deposit accounts, investment funds, securities, insurance, loans or other financial products, with the exception of credit accounts.
- Type of information to be provided, such as balances, movements and account features.
- Depth of historical data that can be accessed. If the information used for the service provided by the PI is older than 90 days, the regulations require enhanced security measures for each user access.
- Finally, the customer can specify the duration of the service and can terminate it at any time, either through the service provider or through the bank.
In the Payment Initiation service, consent requires the buyer to authorise the amount of the one-off or recurring transfer as well as the beneficiary of the transfer (the merchant) before it is processed.
In the exchange of information between the PI and the banks, the banks need to verify the identity of the user. Therefore, when users check their account information or authorise a payment, in addition to their personalised electronic banking credentials (username and password), banks will also require what is known as Strong Customer Authentication (SCA) or a second authentication factor (effectively the same thing) out of the three possible factors – knowledge, possession and inherence. Furthermore, and if the bank so chooses, users will enter their online banking access credentials on the bank’s own website and not on the service provider's, which differs from the screen scraping system. In other words, it is conceivable that neither the applications nor the communication interface between the parties will see the user's username and password.
The information exchanged between the PI and the banks will be transmitted through the interface designed for this purpose, which must be developed in accordance with the communication standards defined by the international standards organisations. The aim is to ensure that the information exchanged between the parties remains confidential, cannot be tampered with and cannot be intercepted or stolen. In addition, both PIs and banks are required to record all user interactions with the other parties involved in the service (beneficiaries, merchants, etc.), so that the transaction can be tracked from end to end (traceability).
And finally, in the event of fraud or a negligent transaction, the parties involved in the process, whether Payment Institutions or banks, are obliged to take out indemnity insurance or other specific types of guarantees to cover the risks associated with this activity, or to have their own resources to enable them to deal with these eventualities.
In short, although it is true that implementing the regulations is not without its difficulties and nothing is ever completely secure, the consumer or user of financial services provided by third parties will be able to operate in this market with greater protection and security than is currently available. Xeridia is also working to help financial institutions address the exciting challenges that these regulatory changes present.
Lucia Caballo is a Functional Analyst at Xeridia.