PSD2 – what you should know about it and why it is a guarantee of security in “Open Banking”

“Open Banking” is becoming increasingly important, both in Switzerland and internationally. The PSD2 (Payment Services Directive 2) is the most important regulation in the European area, although in Switzerland, it is optional. For Switzerland, an initiative of this kind is not (yet) in view, but several initiatives that go in various directions have already begun to address the issue. In this blog article, we will not be looking at the legal aspects of the PSD2 standard, but at its content and the participants that it targets.

The Swiss financial sector is in transition due to “Open Banking”

The term “Open Banking” refers to the use of standardised application interfaces (APIs) to provide data and trigger operations for recognised third-party providers. The systems are operated by banks. Third-Party Providers (TPPs) are usually non-banks which are granted access to the accounts and/or data of bank customers. The APIs allow the TPPs to use bank customer account data and bank functions that relate to the customers' accounts.

The result of this unbundling is services that are increasingly performed independently from the specific bank, credit institution or insurance company or the institution where an account or policy is held. Typical use cases include retrieving account information and triggering operations like payments. This approach offers immense possibilities and opportunities, because digitalization with contactless and mobile payment systems methods, along with online banking, has received a significant boost as a result of the COVID-19 pandemic. In part voluntarily and in part due to the current circumstances, the inhibition threshold has been significantly reduced.

What lies behind PSD2?

“Open Banking” is formally regulated in the PSD2, i.e. in the second EU Payment Services Directive (PSD) and provides, among other things, for the market liberalisation of TPPs in payment transactions.

The PSD2 is the successor to the first Payment Services Directive (2007/64/EC) and as such, takes into account the previous IT technical developments in payment traffic, but also the entry of new market participants. What this means in greater detail is that PSD2 now:

• regulates payment transactions made via the Internet and on mobile phones.
• imposes stricter security requirements for payment transactions.
• at the same time improves consumer protection by reducing liability for unauthorised payments and the unconditional right of reimbursement for direct debits.
• also opens up the market to new authorised payment service providers.

Stakeholders and roles in “Open Banking”

Within “Open Banking”, typically three key players are interacting with each other:

1. Customers

Retail and business customers utilise an application from a service provider (third-party provider) and are able to use this application to access data and services that are stored with or provided by their financial service providers.

2. Third-Party Providers (TPP)

Third-party providers develop and operate applications, most of which are designed to meet specific needs. TPPs include both start-ups from the Fintech sector and established companies with a suitable application. Essentially, there are two types of TPPs identified in the Directive as being providers of new services in the Internet payment sector:

• Account information services, short (AISP) Account Information Service Provider
  These collect account information electronically from the financial institutions managing the accounts on behalf of the customers and account holders with the aim of providing consolidated, user-friendly information for the customer.
  
  
• Payment Initiation Service Provider, (PISP)
  These providers are requested or authorised by customers and account holders to trigger payments on their behalf directly from the relevant account with the financial institution where the account is held.
  
  
• Financial services provider (e.g. banks, insurance companies), or account-holding payment service providers.
  Financial service providers safeguard their customers' data and, provided the customer has given their approval, make it available to TPP applications via interfaces (APIs).

What are the implications of PSD2 for banks and third-party providers?

As has been mentioned above, banks have to provide interfaces for third-party providers (i.e. TPPs). In order to be able to access these interfaces, the law stipulates that TPPs must meet certain criteria and must provide proof of certification. This offsets the split between TPP and banks. All TPPs that want to take part in PSD2 must assume liability and meet equity targets as well as reporting and auditing requirements.

Strong authentication is the key

As part of strong customer authentication, consumers must be able to clearly identify or authenticate themselves. In order to minimise payment fraud, authentication must be made up of at least two of the following criteria:

• Knowledge means something that is only known to the user. This includes passwords, key phrases, PINs, number sequences or secret questions.
• Possession is something that only the user (physically) owns, such as a chip card, a mobile phone or other “wearable” devices, or a smartcard, token, badge, girocard, EC or credit card, or even a TAN generator.
• Inherence are characteristics that are personally or physically inherent to the user - such as fingerprints, facial features, voice, their iris or DNA signature.

The requirement in the PSD2 for strong customer authentication is fulfilled if the authentication procedure combines two of these three independent elements. This means that the combination of just a PIN and a password is inadequate because both security features come from the “knowledge” group, although there are also some exceptions. These can be found in articles 10 to 20 of Delegate Regulation (EU) 2018/389.

In autumn of 2019, the European Banking Authority (EBA) extended its deadline for implementing the rules on strong customer authentication in the field of e-commerce until 31 December 2020, in order to give the service providers concerned, in particular payment service providers and retailers, more time to carry out technical conversions. But the clock is ticking and the year-end is getting closer!

Regular testing is compulsory

In accordance with the “DELEGATED COMMISSION REGULATION (EU) 2018/389”, regular tests must be carried out: “...security measures for the implementation of strong customer authentication and its exceptions, which documents measures for the protection of the confidentiality and integrity of the personalised security features and the measures in order to establish common and secure open standards for communication that are regularly tested...”.

The obligation to prove that PSD2 has been correctly implemented

All payment service providers must furnish proof that security measures have been implemented, tested and verified. The PSD2 applies to payments in EU/EEA currencies between payment service providers located in the EU/EEA area. In addition, it also applies in part to payments in non-EU/EEA currencies, and where a payment service provider is located outside of the EU/EEA area (e.g. in Switzerland or the US).

They are governed by PSD2 but do not have to provide evidence of the implementation, testing or verification of security measures along the lines of the Regulatory Technical Standards for Strong Customer Authentication (CSA) referred to in Article 3 or the Common and Secure Open Standards of Communication (CSCCAC) of the EBA focusing on Transaction Risk Analysis (TRA). Using our PSD2 Assessment, which is an external, independent review, you will be able to find out whether or not you comply with the requirements of the PSD2 RTS on SCA & CSC.

Do you need help to implement the PSD2 or with proof of implementation, testing or inspection of the security measures? InfoGuard can assist you with this. Our cyber security experts will be happy to help you.