Open banking is a simple-sounding concept – the rules around it, however, are anything but.
Under the European Union’s second payment services directive (PSD2), strong customer authentication (SCA) aims to ensure that the third parties that banks deal with are who they claim they are.
Mark Hewlett, Ebury
To meet this need, adequate proof needs to be provided. This proof comes in the form of two or more elements defined as knowledge (something only the user will know), possession (something only the user possesses) or inherence (something that the user is).
Before a transaction can be made, the regulator wants to ensure that third-party payment service providers (TPPs) involved can process the transactions as they are claiming, and that neither the sender nor recipient is falling victim to fraud.
This step came as part of the final list of regulatory technical standards published by the European Banking Authority in February to comply fully with PSD2. The new rules firmly mandated the use of digital certificates as proof of identity.
This change is a step towards the TPPs coming under regulatory scrutiny – something which, much to the chagrin of many banks, they have largely avoided so far.
Having this scrutiny is an important step to protect those sending the transactions from the risk of fraud.
In essence, open banking will enable any party to have access to an account to complete a transfer, rather than it going through the traditional bank channels or along the debit or credit card rails. While the aim is to open up this closed area of transactions to more providers and create a greater level of competition, it is not without risk to businesses and consumers alike.
Christian Schäfer, director, head of payment products and solutions initiative director at Deutsche Bank, says: “With PSD2, TPPs will become subject to regulation and supervision.
"As of January 13, 2018, TPPs will therefore be required to obtain the respective approvals by the competent national authorities as payment initiation service provider, information service provider or provincial identity information services provider.”
Information sharing is not limited to the TPPs.
Tristan Blampied, senior product manager at payment solutions provider Pelican, says: “The PSD2 access to account (XS2A) rule mandates banks or account servicing payment service providers (ASPSPs) to share data with third-party providers, and for this the banks will publish their open APIs.
"The exchange of data must also conform to the requirements of SCA.”
After the TPPs have obtained this verification, they will need to have digital proof of who they are.
Deutsche's Schäfer adds: “Following the required approvals, TPPs will then be eligible to obtain digital certificates, which they have to use to authenticate themselves when interacting with ASPSPs.”
Although these TPPs will be able to obtain proof, depending on their own local regulatory authority these might come in different formats.
Pelican's Blampied says this runs the risk of creating confusion, and even exacerbating the problems it is supposed to be preventing.
“Open banking would benefit highly from a common form of certification and data transfer, otherwise the industry runs the risk of fragmentation and differing standards," he says.
“A shared directory is needed to facilitate authentication between ASPSPs and TPPs as part of the XS2A requirement, when the TPPs need access to payment accounts. There is further scope for additional services on top of this to help reduce cost and improve security to protect against fraud.”
He says some methods have already been put forward, but to date there has been no final decisions made.
“EIDAS has been discussed as the type of certificates which could be used to identify the TPPs,” adds Blampied.
EIDAS is an existing European Union regulation used for electronic identification on digital transactions. It provides guarantees on electronic signatures, confirming the validity and certificates and time stamps on digital documentation. It is already trusted and recognized by institutions around the region.
This demand for authentication has been rippling out into other areas. For the banks, being able to prove who they are working with has long been part of the regulatory process.
Mark Hewlett, wholesale banking relationship director at corporate FX risk management, payment and finance specialist Ebury, says: “Identity authentication has become a big discussion topic. It is part of the on-boarding and KYC process, being able to prove who it is that you’re working with.”
The information needed to prove SCA might already be available across bank siloes. It could help to speed up the process of identity confirmation and on-boarding, but banks need to decide if it is worth the investment.
Hewlett adds: “Banks can pull together the information they need through their existing channels. Obtaining the proof of who their customers are is achievable with the technology that is currently available.
"There is a lot of talk about how banks can do this, but the solutions are already out there – they just need to invest in them.”
Allowing the company to bring in that information as proof might seem the perfect solution to some banks, but in reality it might be creating even more problems.
Hewlett continues: “Having the company provide that information themselves through their own means makes it easier under the bank's current workflows, but in actual fact it creates a great amount of box ticking and manual intervention which creates friction.
"This is a discussion we have frequently with our corporate clients when trying to help manage the on-boarding issues.”