The world of mobile banking is ever-evolving.
With features like rich media messaging (RMM) and rich communication services (RCS), customers don’t have to leave a mobile message in order to make a payment or buy something. For years, many aspects of mobile banking have been unregulated, and with new EU legislation, that’s set to change for many users.
An EU directive called PSD2 allows customers to avail themselves of safer, more secure mobile banking solutions from a wider variety of providers.
Open banking and the second Payment Services Directive (PSD2) offer more safety for customers by increasing security measures on transactions and offering a more diverse range of services to payment service users (PSUs), i.e. customers.
Effective January 2018, the new regulations cover a host of topics regarding security, quality of services, data protection, and more.
To maintain a competitive edge, online and mobile app companies need to understand what’s expected of them to ensure that they meet regulatory standards, as well as the growing needs and expectations of their customers.
What is PSD2?
PSD2 is the latest iteration of the Payment Services Directive (PSD) that was introduced in the EU in 2007.
The original PSD outlined a legal framework for payment providers to operate in, and the aim of the directive was to increase and clarify consumer rights, speed up transactions, and bring in more competition for banks by other financial institutes.
The new payment-process model PSD2 expands upon its predecessor, dealing more specifically with applications and the way in which third-party providers access consumer financial information. Under PSD2, app providers can access customer bank accounts to debit payments directly instead of going through intermediaries, such as credit card companies and processing companies.
PSD2 develops the previous legislation in an effort to give customers more rights, better security measures, and third-party access to account information in order to connect multiple bank accounts across different institutions. A main focus of PSD2 is opening up new payment options for customers by regulating authorized apps which can provide services in areas like budgeting, investing, fintech, and more.
Strong customer authentication (SCA) introduces two-factor authentication (2FA) for certain transactions, meaning that customers will need to confirm their identity via two unconnected methods in order to successfully move funds. Customers can do this by identifying themselves with two of the following three methods:
- Knowledge: Providing information that only the customer has access to, such as a PIN code or a passphrase
- Possession: Confirming access to a device or item belonging to the customer, such as a payment card or a mobile phone
- Inherence: Submitting biometric data unique to the customer, such as a fingerprint or an iris scan
Enforcing the 2FA system makes it much more difficult for bad actors to gain access to customer funds because they would need, for example, physical access to a device, as well as a PIN code to carry out any kind of fraud or theft. The current draft of PSD2 has made 2FA exemptions for some transactions:
- Customers can whitelist merchants to exempt transactions with that merchant from 2FA security requirements.
- Contactless payments under €50 are exempt, up to a maximum of five transactions or €100 in a day.
- Secure corporate payments, as made by corporate/B2B cards, are exempt when made by a business rather than an individual consumer.
- Online payments of €30 are exempt up to a maximum of €100 or five transactions.
- Recurring payments to the same trusted beneficiary are also exempt.
57% of transactions will now need to pass these new security measures; before PDS2, only 3% of transactions fell under that level of scrutiny.
Personal Data Protection
The new legislation also allows account holders to choose who has access to their personal data — data can’t be processed without the express agreement of the consumer, allowing for greater protection than under the previous PSD regulations.
Even with permission, payment providers can use consumer data only for the specific purpose they’ve been granted permission for, solving the problem of consumers “signing away” their data in single-use cases, only for it to be stored and accessed indefinitely. Providers have to inform the customer on how data will be processed and must allow customers to access their own data and to request the deletion of their data.
The new legislation standardizes how payments are processed, with authorized apps mandated to adhere to strict regulations regarding the use of personal information.
PSD2 opens the door to new payment options for customers, allowing for new and innovative means of transacting. There are apps that offer assistance in services such as budgeting, investing, fintech, and other related areas.
Learn more about mobile messaging and data security: Mobile Messaging and the Implications on Data Security Best Practices
What Is Open Banking?
A key aspect of PSD2 legislation is open banking and third-party account access. The nine largest UK banks are required by law to release APIs that allow third-party service providers to access user accounts in order to offer totally separate services. An API (application programming interface) allows authorized applications to develop applications that can access any bank account when given permission.
VoiceSage has upgraded API integrations for existing payment gateways such as Stripe and Global Payments. This offers users the added security of knowing that one time payment (OTP) requests, and the SMS messages sent as part of the process, comply with methods laid out by regulatory authorities. We support the requirement for 2FA via our SMS product for any company that needs to support this option. SMS messages are sent within the 10 second window defined by PSD2 regulation.
This new requirement from banks has been met with mixed reactions among UK survey respondents, with one survey showing 50% of consumers opposed to PSD2 open banking. After all, why would granting third-party access to bank accounts be a good thing?
The goal of open banking is to encourage banking innovation and competition. Traditionally, banks and other major financial institutions have had more of a monopoly on financial services, arguably leaving them with little incentive to offer radical improvements. The PSD2 legislation is aimed at generating new ideas, new services, and more choices for the consumer when it comes to how and where to spend their money.
The legislation also deals with how, exactly, third-party providers facilitate payments, with an aim to make this process faster and more secure. Over the past decade or so, third-party service providers have used a technique called screen scraping to access user data. This involves customers using their banking information to sign into a third-party web page, which then accesses their bank account on their behalf. This process can suffer from slow log-in times as well as poor connection stability. User information can also be made vulnerable when entered into the third-party site in this way, and that’s where open banking comes in.
PSD2 open banking was specifically designed to replace screen scraping, enhancing the speed, stability, and security of the process. Passwords are not shared with the third-party provider; the applications designed in the banking APIs handle all customer data. Open banking is available only to third-party providers regulated by the FCA, adding an additional layer of scrutiny and protection to the process.
Screen scraping, a typically unregulated process, is being phased out under PSD2 as of September 2019, leaving regulated open banking as the only way for third-party access to bank accounts. While open banking has been met with some skepticism so far, the UK survey shows that younger generations are more in favor of the idea, with one-third of Gen Zers, those born after 1996, interested in trying the new technology.
How to Use PSD2 and Open Banking to Enhance the Customer Experience
A quick scroll through the App Store or Google Play will show numerous budgeting apps, savings apps, bill tracker apps, banking apps, and fintech apps available to customers. These unregulated apps can continue to operate as normal, but PSD2 and open banking offer authorized apps the chance to stand out from the competition.
As well as benefiting from the added trust that will accompany apps authorized by a regulatory body, authorized apps can offer unique features that benefit the consumer. PSD2 opens the potential for apps that allow customers to see and manage their banking information from different banks all on one platform.
It also enhances security features offered by popular financial services, such as Revolut and Stripe, with the introduction of 2FA, which requires many transactions to be authorized with separate pieces of private information. Even social media giant Facebook is disrupting traditional banking services with Facebook Payments, opening up the potential for Facebook to become an authorized payment initiation service provider (PISP).
PSD2 can help service providers minimize fraud and other attacks on customer data, which is a growing concern among consumers worldwide. Using advanced analytics methods, such as validating the origin of inbound calls to APIs, app providers can detect and mitigate fraud attacks, and apps can be configured to send customers notifications via SMS or other means, positioning authorized providers at the forefront of legislative changes that could seriously disrupt payment services in the EU.
Safeguard Customer Data by Enrolling in Open Banking
There are many unregulated apps offering financial services to consumers , and PSD2 doesn’t state that the consumers need to switch over. However, if there’s an issue with an unauthorized app, such as fraud or a data breach, customers are held liable and will not receive compensation for any loss of funds.
As awareness around the benefits of PSD2 grows, it’s likely that app providers will come under more pressure to apply for regulatory authorization so they can offer the protection provided by the new legislation. Third-party providers can enroll with PSD2 open banking to become authorized, at which point they must make clear what customer information they’re accessing and how it’s being used, as well as confirm which regulator they’re authorized with.
The authorization process is designed to be as transparent as possible in order to offer customers all of the relevant information they may need when choosing which apps to trust and use, and all authorized providers are listed on the FCA Register and Open Banking Directory. The European Commission released a list of FAQs to help companies come to terms with PSD2 and open banking.
Prepare for the Future of PSD2 and Open Market
Although PSD2 became effective in January 2018, public awareness of the change is still lagging behind. A 2019 survey showed that less than two-thirds of UK customers had heard of open banking, and one in five of those who had heard of it couldn’t accurately explain the concept.
This gap offers an opportunity for application providers not yet registered to get ahead of the curve — while the customers may not be leaving unauthorized apps for regulated ones in droves just yet, it’s possible that this will become an increasingly popular trend in the near future.
Becoming a regulated financial services provider will build trust with your customers and increase the chances of new customers choosing your app over an unregulated one in a similar field. By gaining PSD2 authorization in the early stages of the regulatory shift, you’ll be poised to confidently answer any questions your customers may have regarding PSD2. You can follow the steps in this guide to prepare for the future of open banking with PSD2.
Contact VoiceSage to learn more about how we support financial services users in your pursuit of PSD2 compliance.
Published on: 18th October 2019