Not so long ago, I was touting the advances in finance fuelled by banking APIs. This advance will finally be halted now that the European Banking Authority (EBA) has released the new Payment Service Directive (PSD2). PSD2 is a set of revised Regulatory Technical Standards (RTS) directing European banks on how they shall increase security for online payments. Already, Deutsche Bank has admitted these new regulations may be confusing to the banks, so let me try to explain it.
Why did the EBA revise PSD?
In a report by the EBA on the 29th of June this year, they explained that the aim of the regulations was to improve technical standards. This would enhance the protection of consumers’ personal data and improve the security of payment services. As you may know, banks and consumers alike experience a lot of losses through scammers and hackers who take advantage of online payment systems. Part of the problem, at least according to the EBA, are the banking APIs used to access personal information from banks.
FinTech companies use banking APIs as interfaces to access a consumer’s banking data. Then, through third-party apps, a user can make financial transactions without having to go to the bank directly. These third-party payment service providers use a method called screen scrapping to access the individual’s credentials. Then even without the bank’s consent, can initiate financial transactions. Obviously, such a design is vulnerable to nefarious parties, and many of them have taken advantage of it.
In order to prevent any further cases of crime through these screen scrapping procedures, the EBA has decided to simply block any such features. This is the main idea behind the PSD2 requirements. Additionally, the banks will need to have Strong Customer Authentication (SCA). This measure requires that a bank receive at least two out of three security elements. The first would be a password/PIN code, the second is the possession of a card or mobile phone and finally biometric data like a fingerprint. If you have ever used 2-factor authentication on your smartphone, then these would be familiar. Even cryptocurrency exchanges now offer multi-sig wallets that require several security elements to prevent hacks.
How do these initiatives affect the users?
The final draft of PSD2 was published on the 27th of November, stating that the new requirements should be implemented starting on the 13th of January 2018. However, the banks have 18 months to comply with the new requirements, so we can set the deadline for September 2019. Upon the date, screen scraping would not be allowed, and the banks will have to provide dedicated communication channels with their clients. Anyone who has been using a third party app may have to find an alternative.
However, some payment service providers will still be able to gain access to bank client’s information. Nevertheless, it will only be to a limited extent and not full access. Besides, these providers will have to prove that they have secure SCA mechanisms of their own. For consumers, the effect will not be huge, and it might even be to your benefit.