The Payment Services Directive 2 (PSD2) is a new European-wide regulation that requires European banks to make it easier to share customer transaction and account data (where the customer has given their consent) with third party providers, and it's the current hot topic across the payments industry in Europe.
As a result of PSD2, we'll soon witness several non-banking entities enter the payments space as third party providers, for example, social media platforms and other Fintechs. In a digital world where 50 percent of buying decisions are initially researched via social networks or other online and mobile applications, this will be a game-changer for traditional banks and financial organisations. These changes will undoubtedly open new channels and offer a wider range of value-added services, but they can also contribute to increased risk of fraudulent activities.
Elevated risk landscape
Traditional financial organisations have so far enjoyed a bilateral relationship with their customers. That will change when third party providers enter the market with new services. Consequently, as custodians of the customer accounts, banks will see an even higher volume of transactions, including new requests made via these third party providers. This will be on top of requests through their existing digital channels, already challenged with growing consumer demand for mobile payments.
Since banks cannot deny access to third party providers, per the PSD2 mandate, their existing fraud detection systems will be under pressure to cope with the new payment channels. Banks will require a robust, powerful and scalable fraud management platform to sustain the high data throughput and the velocity of requests in real-time. The window for investigations will be significantly reduced and banks will need to rely on advanced analytics and automation to mitigate the increased fraud risk.
New payment actors introduced
Following the release of final regulatory technical standards (scheduled for Q4 2018), account information service providers and payment initiation service providers will be geared up to offer their services to consumers, acting as intermediaries between the end-customers and their banks. The banks will remain the custodians of funds in the customer accounts and the onus is therefore primarily on them to ensure that the incoming requests are not fraudulent.
Banks already face existing challenges in securing online transactions. After PSD2, this problem will be further exacerbated as the requests could be made via third parties where the bank will not have direct interactions with consumers. Requests made via third party providers may be susceptible to third party fraud powered by malware or social engineering techniques and fraudsters could use the third party provider as an obfuscation layer to confuse the banks’ fraud defences.
Access to accounts
A major change introduced by PSD2 is the access to banks’ data infrastructure and customer accounts through APIs. Any new digital channel carries inherent fraud risks and fraudsters could seize this opportunity to impersonate genuine customers, harvest their information through Account information service providers and use it to open fraudulent credit accounts.
Access to accounts can also be an attack vector for data breaches where banks could be liable to heavy fines under regulations like the General Data Protection Regulation (GDPR). Standard business rules or even existing predictive models might not be effective against such risks.
There is also concern that banks may not receive all the relevant data through third party providers (e.g., device information, session data, etc.) and this could reduce the effectiveness of existing customer profiling tools and existing predictive models. One way to tackle this conundrum is to use forward-looking analytical techniques such as anomaly detection. For example, deviations from the peer group pattern for an account information service provider can be indicative of malware harvesting customer information. Likewise, a high value transfer to a foreign account made through a payment initiation service provider can be deemed anomalous for a customer with no such history.
Secure customer authentication
The first step across most online fraud schemes is to gain access to the victim’s account. Strong user authentication is a key factor in mitigating such risks of account takeover and PSD2 stipulates the mandatory use of 2-factor authentication for most transactions, with a few sensible exceptions. The challenge however is not so much around securing access to accounts but rather in balancing security and user experience. The optimal approach lies in adaptive authentication which monitors all relevant risk factors (e.g.: device, channel, value, etc.) and adopts a customer-centric approach for a tailored and robust authentication mechanism.
Identity management, through user validation and verification, is equally highly relevant to secure authentication. eIDAS, an EU regulation on digital identification for electronic transactions, provides the legal foundation individuals and businesses to safely access services and transact in virtually ‘one click’. Many financial organisations are considering the use of this federated identity management solution to partly fulfill the secure customer authentication requirements of PSD2. Regardless of the authentication process used, all payment service providers need to ascertain that each access request is legitimate, ideally through a fraud security layer using analytics to ‘risk-score’ authentication attempts.
There is a common misconception that PSD2 mandates the need for instant payments and as much as this will benefit consumers, it is not the case. The instant payments initiative is driven by a separate but related initiative – SCT inst (SEPA Instant Credit Transfer) which goes live in November 2017. Countries like Sweden, Denmark and the UK already have such schemes (e.g.: Faster Payments - UK) but soon SCT inst will roll out instant payments across the whole region, making instant European cross-border payments a reality. The processing of SEPA instant payments will be at a transaction level and they will be cleared in real-time. Instant payments require instant fraud decisions and here again, like the PSD2 third party provider requests, traditional rules-based fraud solutions may not cope with the huge volume and high velocity of incoming requests.
The payments world is at a crossroad where many technologies, regulations and market drivers interact. It’s obvious that the future is being shaped to offer a wider range of easy-to-use, mobile and flexible payment solutions, designed with consumer-centricity in mind and challenging the rigid framework of traditional banking. Whilst this happens, all payment actors need to be wary of fraud risks. Fraudsters are constantly evolving and may use this transitional state-of-play to their advantage by exploiting potential gaps in the payments process.
To prepare, financial organisations need to invest in or upgrade to a holistic fraud platform that uses a range of advanced techniques to mitigate against the early signs of fraud and derive actionable intelligence from data. In other words, they need to adopt a proactive strategy and reduce their fraud permeability through a hybrid ecosystem using discovery analytics, layered detection and adaptive authentication.
Find out how SAS can help with reducing payment fraud losses while lowering associated costs.
Will PSD2 have global impact?
SAS hosted an online discussion to explore new techniques that are now available to handle fraud; on the role of digital channels for education, and the potential role of machine learning. We collected the highlights in a Storify under a headline How will PSD2 change fraud dynamics?