The European Union has reshaped rules of payment services by the Second edition of Payment Services Directive (PSD2), granting third parties access to customers’ payment account. Although PSD2 is effective, since January 2018, the major impact is expected by September 2019 when an obligatory technical standard on customer authentication and secure communication will be effective as well.
Open banking comes when cybersecurity related risks are increasing. According to the Global Risk Report 2018 of World Economic Forum, likelihood of cyberattacks is third and data fraud or theft is fourth most possible risks. The European Central Bank in its Risk Assessment for 2019 puts cybercrime and IT disruption among key risk drivers from both probability and impact perspective.
Third party payment service providers (TPPs) are those entities that, based on the authorization of the Customer, will have access to Customers’ payment accounts managed by commercial banks. These TPPs could have very different backgrounds. New digital-based institutions with banking licence, technology-oriented disruptive firms (Fintechs) or traditional financial institutions all could offer services: Account Information Service Providers (AISPs) with access to transaction history or Payment Initiation Service Providers (PISPs) with capability of initiation a payment transaction on behalf of the Customer. European Banking Authority (EBA) in 2017 issued a discussion paper on EBA’s approach to financial technology and estimated that there are over 1500 fintech firm established in the EU.
A potential threat actor has three options. It could attack directly the bank, the TPP or the customer. Depending on their motives, the aim can be theft of data (to sell or use it in another way), direct financial gain (stealing money) or disruption the service.
Main objectives of PSD2 are to make payments safer and more secure, and to protect Customers, there are rules around to ensure that it will happen.
As general rule application of strong customer authentication is required to access payment accounts or to initiate a transaction, a transaction monitoring mechanism shall be used to prevent or detect fraudulent activities throughout all of the phases of the authentication including of course the customer’s device, (e.g. on mobile or desktop) in case of malware infection.
There is another initiative in the EU that has or will have an impact on payment security. The SEPA Instant Credit Transfer (SCT Inst) scheme allows electronic transfer of money in less than 10 seconds. 15 percent of payment service providers (banks) already offers services based on this scheme and the number is increasing as more major European countries expected to implement it.
PSD2 and SCT Inst define security measures that need to be implemented by the service payment providers. Licensed financial institutions (both traditional and digital only banks) that already operate in a well regulated environment will obliviously fulfil the requirements; fintech firms are expected to meet the expectations too, and all of the affected entities are working on that across EU.
Considering that open banking and instant payment start to spread in times when risk of cybercrime is increasing it is reasonable to assume that incidents will happen, therefore, not just private but public sector including law enforcement should be preparing for that. A more active, faster cooperation with the possibility of direct information sharing among stakeholders could limit losses will be inevitable in order to achieve original aims of the legislator.