Final rules on PSD2 shifts focus to security


Kimberley Long
Published on:

The final recommendations for the second Payment Services Directive (PSD2) have outlined a series of strict rules that would improve security, and have the potential to push for greater innovation.


The European Commission has announced the final regulatory technical standards (RTS) for PSD2. Published on November 27,its recommendations would see screen scraping outlawed, and increase the strength of customer authentication needed to complete a transaction.

Kevin Bocek, Venafi
Kevin Bocek, vice president of security strategy and threat intelligence at cybersecurity company Venafi, says: “The ban on screen scraping is perhaps the most significant aspect of the RTS. It will really drive a lot of change.”

The ban will hit a number of third party providers (TPP) whose business models are based on the ability to screen scrape. Their systems work by accessing customer’s information and using it in their place, while looking to the bank’s systems as if it was the customer themselves. Now it will be obvious to the bank that it is not the customer who is accessing their account.

Bocek says: “The rules are putting the banks back in control. They will be able to set the boundaries on which interfaces the third parties need to use. It will create a lot of problems for these companies operating solely as TPP. It will initially create chaos, and set up barriers.”

The RTS has also clarified there will need to be a two-factor authentication for every payment made online. Currently, only card details are needed in most European countries to make a payment. The rules state a second piece of information, such as a pin code or password, or something to identify the individual, such as an eye scan or fingerprint, will also be necessary. In some cases, a code will be issued to identify each specific transaction and its total.

Stringent standards

Providers can only avoid having to implement these multiple steps by proving they have stringent standards for checking if a transaction is fraudulent.

This is likely to be particularly important for processing corporate transactions, which are typically made in batches. The RTS covers host-to-host machine communications, where a corporate’s software connects with the bank’s software. The security measures that are in place for these systems can be used to exempt them from the need for additional strong customer authentication details.

Although PSD2 will be implemented in January 2018, meeting the most contentious issues around screen scraping and transaction security has been granted an extension.

There is a three-month period for the European Parliament and the Council to assess the RTS before approval. Once approved, the rules will not come into force until 18 months after the publication of the Official Journal of the EU, scheduled for September 2019. Bocek says: “The 18 month extension in the RTS is recognition of the amount of work that is required to bring the systems of the banks and the third parties up to standard.”

Bocek believes while the RTS will be a shock to some, the point of the regulation was to overhaul banking: “The rules will actually drive far greater change and complexity over the coming year. As the third parties will not be able to access accounts as easily as they had hoped, they will be forced into developing more detailed alternative ways of working.”

Serena Smith, FIS

For some fintechs, the new rules will mean making a raft of changes. Serena Smith, head of international payments and chief administrative officer, payments, at financial software vendor FIS, says the TPPs have to be verified before they can begin accessing accounts: “All participants will need to have obtained PSD2 authorizations from the Financial Conduct Authority (or relevant authority for the rest of the EU) to initiate account information and payment initiation interactions via the Open Banking Directory; an identity and access management service that provides identity information to whitelisted natural persons, entities and software identity classes.” 

For banks, they are caught between meeting standards and keeping up with demand. Smith says: “Technically, banks need to assume a hostile environment, yet also be sure that they can service a high number of requests in a compressed period, authenticating, authorising, auditing and if need be throttling them, while remaining alert to actions by unknown malicious actors. Proactive threat detection and encryption in transit and at rest are crucial. And importantly, high level issues around accountability and liability need to mature.”

System updates

Chet Kamat, Oracle

Chet Kamat, managing director and chief executive at Oracle Financial Services Software, says this will mean updating systems: “Banks need to take a hard look at their IT architecture, operating procedures and operational controls to build a framework of security while driving openness. Banks have a short timeframe in front of them to embark on a refresh of their IT landscape.”

Kamat believes the complexity of the operations the banks need to implement will push them towards newer technologies, as there is no magic bullet to guaranteeing security. 

“Apart from this level of high fidelity controls, banks will need to attack the problem of risk and exposure from other angles as well,” says Kamat. “A blend of analytics, machine learning and artificial intelligence will for example need to come into effect to look at every transaction for unusual behaviour detection.”

While they struggle with this, banks also have to take into account other burgeoning regulations, especially those around data and privacy. Says Bocek: “There is the need for balancing the rules imposed by GDPR. It is a delicate balancing act of meeting the needs for privacy with the need to open up. It really does require a totally new way of approaching banking. The result is the need to innovate and develop new applications, beyond making updates to the existing platforms in use.”