How does PSD2 affect bank customers' digital identity?
The new Revised Directive on Payment Services (PSD2), issued by the European Banking Authority to deregulate the financial sector before 2018, has sparked a genuine revolution in the processes of managing digital identity –and in its protection.
At BBVAOpen4U we have spoken more than once of the sweeping change in paradigm in modern banks and their transformation in platforms as a service (PaaS) to exploit the ecosystem driving the new PSD2 regulation (Revised Directive on Payment Services) imposed by the European Banking Authority (EBA). To date, practically no financial sector professional is in any doubt that the banks will be able to comply with the regulatory requirements, thanks to the use of third-party application programming interfaces (APIs).
PSD2 –which is driving the change before January 2018– rules that the banks will have to open up their payment services to outside companies (Third Party Payment Service Providers - TPPs): payment initiation service providers (PISPs) on the one hand, and account information service providers (AISPs) on the other. Both services require authorization from the customers –whether private individuals or companies– and of course prior authentication.
The EU therefore seeks a payment market in Europe that is open to other actors in addition to the banks (fintech companies). In this scenario, managing users' digital identities takes on a new dimension. This Discussion Paper from the EBA explores most of the risks and requirements of the new environment around the corner after the implementation of PSD2. It is evidently much more complex, and more sensitive. This is why APIs and the approach used to program them (open or closed application programming interfaces) is a matter for international debate.
Digital identity, a paramount asset
In the digital age, where mobile devices are now a tool for almost everything and all times, users' data represent raw material of incalculable value. People registered with their username and password make financial transactions in real-time, associated to a first and last name, identity document, place of residence, gender, age and so on. Transactions associated to the retail sector, insurance, leisure… Not only do they provide information on expenditure, but also a record of customers' revenues. The financial digital identity of millions of people is in the hands of the banks.
With the new PSD2, any company can become one of these TPPs and use the release of data to generate new income. There is no doubt that this is a race for the ownership of customers' digital identities, and will involve hundreds of companies fighting for authorized access to this information. Europe considers it combines all the essential elements to deregulate the market and that the greatest beneficiaries will be the customers.
The components that guarantee a secure process are the following:
- Identification: definition of the attributes that confirm, beyond any shadow of a doubt, that the user is who they say they are and not someone different pretending to be them.
- Authentication: verification through credentials that the user is the customer they say they are (username and password, OTP, digital certificates and others).
- Authorization: the financial service providers (TPP) with a license to operate must be given authorization by the customers before they can access their accounts. They need to have proof of consent, which can be obtained through access tokens.
Risk-based authentication (RBA), a new ecosystem
Risk-based authentication (RBA) is the method whereby several levels of security are applied to the processes for authenticating customers or users to minimize the risk of violation. Some of the elements used in a risk-based authentication process are often the same as the ones used in some of the latest generation firewalls for classifying risk. These are:
- Role-based identification: the greater the privileges a specific user may have (for example a network administrator), the greater the risk controls they will be required to undergo. This is because they have an even greater capacity to break the protection.
- Location-based authentication: location is a key element for determining whether a transaction or bank operation entails risks or not. If the user or customer has logged on to an application or a financial service from a specific place and shortly after attempts to do the same thing from another totally different location, this may indicate an action that represents a risk to the bank and to the customers themselves.
- Activity-based identification: the characteristics of some financial transactions trigger greater levels of control. Transfers involving large sums of money, transactions between accounts in banks in different companies, sending money to accounts located in tax havens...
- Habitual behavior patterns: when a user makes a transaction that is not habitual in their behavior as a customer, that action is more delicate than the ones that follow their regular behavior patterns. These tend to be detected by measuring the speed of the linked transfers, the amounts of each transaction, and so on.
- Other important elements in the systems for RBA digital identity control include type of device, IP address, status of antivirus software, and others.
Sign up to the BBVAOPEN4U newsletter and receive tips, tools and the most innovative events directly in your inbox.