PSD2, Open Banking and Bots: What you Need to Know
PSD2 and Open Banking have been around for a few years now. Each aims to disrupt and future proof the financial services market following the vast technological advancements that occurred over the last two decades, and have left the industry with legacy processes and a lack of legislature to cope with emerging challenges.
The introduction of FinTechs and mobile banking, for instance, were not accommodated for in the original 2007 PSD, a directive implemented to make payments across borders as easy, secure and inexpensive as domestic payments.
A solution was needed, but the road hasn’t always been straightforward. In our blog we discuss the PSD2 and Open Banking journey, what payment service providers (PSPs) need to know, and the effect of open APIs in banking today.
What is PSD2?
In 2015, the European Union introduced PSD2 to reduce the existing monopoly on customer account information and payment services, while improving and setting a standard for customer security procedures. Payment processors must implement two major changes to comply with PSD2:
- Banks must give third-party providers (TPPs) such as aggregators and brokers, access to customer accounts via open APIs
- Payment service providers must integrate secure customer authentication (SCA) to reduce the number of cyber-attacks, including credential stuffing, card cracking and account takeover.
What is Open Banking?
In January 2018, the UK introduced the Open Banking legislation, set up by the Competition and Markets Authority on behalf of the UK Government. Every PSP that uses Open Banking to offer products and services must be regulated by the FCA or the EU equivalent.
There is currently very little to differentiate Open Banking from PSD2. However, where PSD2 necessitates banks make their data available to third party providers (TTPs), Open Banking states that data is made available in a standardized format.
The PSD2 and Open Banking SCA compliance timeline
Although the UK is no longer part of the EU – as of 31st January 2020 – the legislation is still effective in the UK as it relates to the European Economic Area (EEA) not just the EU. That means that since PSD2 came into force in 2018, all PSPs throughout the EU and UK alike are required to comply with the Directive.
What do PSPs need to do to comply with SCA requirements?
To accept payments in compliance with PSD2, a service provider must meet SCA requirements by building additional authentication into the checkout flow. SCA authentication must include two of the following elements:
- Something the customer knows: a PIN or password
- Something the customer has: a phone
- Something a customer is: a fingerprint or facial recognition
If payments fail to meet these criteria following the compliance deadline, banks will need to decline the payment.
How is the finance industry benefiting from open APIs?
But that’s not to say the changes introduced by PSD2 and Open Banking haven’t been successful. The introduction of open APIs has enabled a range of new FinTech products that make it easier for consumers and business to manage their finances.
Open APIs have effectively given businesses the key to the financial market without the burden of stringent compliance and infrastructure. New entrants can instead focus on providing one service while connecting to other service providers via APIs. This creates a new marketplace of specialists and greater competition that ultimately leads to better services for customers.
In 2022 there were 68.2m open banking payments, up from 25.2m in 2021.
How secure are APIs?
APIs are an increasingly attractive target for cyber-attacks, and yet not deemed as vulnerable as websites and mobile apps by most businesses.
44% of financial services organizations suffered automated attacks on their APIs in 2022 according to Netacea’s latest research – although this has dropped from previous years, indicating attackers becoming less focused on the Open Banking API as other industries such as eCommerce adopt API usage as well.
Establishing a resilient API environment is vital to maintaining a truly secure and high-functioning open banking ecosystem in which both interconnected parties are protected. If left unchecked, bots can be used to takeover accounts, scrape data and prevent the API servicing users.
At Netacea we take a revolutionary approach to bot management, applying a single solution with innovative coverage across all API points of vulnerability – web browser, mobile app and API server – without the need for multiple products or complex mobile SDKs.
To find out more about open API security, read our two-part open API blog series in which we provide greater context to the challenge.