What are the new risks that PSD2 will bring and how to cope with them?

PSD2 brings new security risks when interacting with third-party providers

PSD2 is a set of policies set forth by the EU to improve the standard of banking. The regulations, which first started rolling out in early 2018, call for open banking, strong customer authentication, greater transparency, and other improvements to the security of banking in the EU.

Whilst all of these changes are sure to be positive for both the banking industry and customer security alike, many are still unprepared for them. In fact, 41% of banks missed the March 14th deadline earlier this year. The next deadline is September 14th, though the FCA has granted banks an 18-month grace period to meet the new regulations.

The changes brought about by PSD2 are not only difficult to keep up with, but they also carry new risks that many banks have never faced before.

Security risks when interacting with third-party providers

One of the major risks that the September PSD2 changes bring is with third-party provider interactions.

Why?

EU banks will need to implement open banking policies by the deadline to remain compliant. To put it simply, open banking means opening up access to a bank's data to other financial institutions and services, typically via APIs. This is how services like Venmo, PayPal, and budgeting apps work.

An "open" system with sensitive data

The second main concern, which you may have just realised, is that an open system with APIs creates easier access to your customers’ data.

To understand why this is, it’s helpful to think of an API as a set of doorways. And behind every door is a different set of data: account balances, transaction history, the ability to make deposits/withdrawals… all along with other customer information, too.

In an ideal system, these APIs (or doorways) would only be accessible to trusted parties with your knowledge of their access. However, for reasons we all know, banks have always been a target for criminal activity, and it's not hard for anyone to imagine that there are those out there waiting to abuse these new access points to bank data.

Making sure that third-party providers are legitimate

Addressing the first security concern of the September deadline - avoiding fraudulent third-party providers. The best way to do this and avoid negative interaction with a third-party provider is to prevent that interaction from ever happening in the first instance.

So, how is this done?

First, it's unlikely that most banks have the resources to vet every single third-party provider that ever wants to interact with them. Instead, banks can leverage the data that other services already have on third-party providers to decide if they're trustworthy or not, the same way a computer will warn you right before you access a scam website.

For this kind of TPP screening service to work, it needs to be immediate, reliable, and effective, which is where risk profile scoring comes in.

Using risk profile scoring to authenticate third parties

Risk profile scoring involves gathering a comprehensive set of data on a third-party provider and determining the legitimacy of that provider based directly on that data. In other words, it is about evaluating how high of a risk each third-party poses.

What’s more, risk profile scoring makes the process of screening a third-party service quick and instant. If, for example, a third-party passes a certain risk threshold, access to open services is quickly denied. After this flagging process, banks are then free to implement additional measures to verify a third-party’s legitimacy, giving them full control over access, just without the risk of a security breach.

Security providers like JT offer services that make implementing these kinds of security measures seamless, ensuring that your bank can remain both secure and PSD2 compliant.

How JT can help you prepare for the PSD2 changes

JT has over 120 years of history in the telecom market, with over 600 roaming agreements with other telecom companies. This unique position means that JT has a high level of insight when it comes to third-party businesses and consumer security.

JT enables banks to use real-time data attributes from Mobile Operators to use data in their risk management processes. Ensuring that no party can access your bank's data without first going through JT's security checks. This gateway works in real-time too, meaning there is virtually no delay for TPPs - unless, of course, an issue is detected.

In addition to this, JT has a unique and full view of the operator marketplace in its entirety - including both MNOs and MVNOs - which is necessary for ensuring that all consumers are getting the best security possible. JT can offer banks greater security through features like SIM swap checks, which is currently the best recognised way to prevent cases of SIM swap fraud when one-time passwords are sent out.

Conclusion

Thanks to the upcoming and already-implemented PSD2 regulations, it's both an exciting time in the banking industry. And if you're concerned about keeping your bank secure amid these changes, consider partnering with a security provider like JT for a fast, reliable, and seamless solution. 

PSD2 White PaperRead more on PSD2 in our white paper on the topic. Our team of fraud protection experts have compiled it to help payment service providers prepare for the upcoming changes.

 

Get a Copy

 

Filed Under: PSD2, Banking, Fintech, open banking, SCA, payment service provider