PSD2 and Open Banking continue to be the two most discussed topics in the financial industry in the first months of 2018, shaking up the established order and delivering promises of new great services for consumers through collaboration between banks and Fintechs. The attention has been mainly on access to banking data, providing a mix of excitement and apprehension.
But what's happened so far, and what needs to happen next to make it a success?
Enabling access to banking data
Open APIs have been acknowledged as the right way to go to enable access to data and empower end-users. These APIs should be developed by banks and implemented by application developers. Industry-led standards and workgroups are naturally emerging to ensure a minimum level of interoperability and consistence in the development of such Open Banking APIs. For example:
- In Europe, The Berlin Group has released specifications to implement Account Information and Payment Initiation APIs as per PSD2 Regulatory Technical Standards (RTS)
- In the US, NATCHA leads an Industry group aiming at developing a broad range of standard APIs to transform the Financial Industry
Another key priority of PSD2 and the financial ecosystem is to secure access to user account data and banking and payments services, by moving away from flawed and cumbersome processes relying on passwords. A number of technologies, such as biometrics, have become available and widespread, so that they can now be leveraged to replace or complement the use of passwords. While their benefits are evident, the introduction of an eclectic array of new Strong Customer Authentication (SCA) methods poses a number of challenges and a certain level of standardization, and collaboration is required to deliver a smooth strong customer authentication experience.
The need for SCA standardization
In the European Union, financial institutions' current focus is to meet PSD2 requirements. This includes delivering strong two-factor authentication and transaction signature methods to all their customers. Banks, in Europe and overseas, have been independently evaluating several options including: dedicated hardware devices such as tokens and payment card readers, as well as the use of mobile authenticators. On one hand, banks are trying to leverage their existing authentication platforms and extend their use, which was often limited to corporate banking, to retail banking. On the other, they aim to benefit from the connectivity, biometric capabilities and widespread deployment of smartphones.
But a growing number concerns are being raised about the chaos this wide range of authentication technologies and user experiences could cause in the new Open Banking ecosystem.
For example, in the post-PSD2 era, consumers using Personal Finance Management apps that seamlessly aggregate data from all their accounts, may have to go through a cumbersome authentication process on a regular basis (at least every 90 days). They will likely be redirected to the portal of each financial institution to authenticate. The process may involve using a mix of hardware and software-based authentication solutions, as well as the need to carry all required banking tokens and to be enrolled with the mobile banking apps. That's a lot of effort for someone who only wanted to use their favourite money dashboard app...
The importance of providing seamless user experience
Fortunately, some financial institutions have realized the risk of degrading the user experience and have started pinpointing the issue, as they want to follow the steps of Fintech and be able to offer account aggregation services. Similarly, large eCommerce platforms and payment service providers can't figure out how to leverage account-based payments if the end-user must be systematically redirected to the bank's interface for authentication. For card-not-present transactions, users would also be required to go through the banks' authentication process as part of 3D Secure 2.0 flow.
The exemptions planned in the RTS won't be enough to fully overcome these challenges. End-users expect strong user authentication seamlessly in their favourite financial app interface. It could be as simple as a fingerprint scan or a selfie. The Berlin Group has notably started addressing this point by defining a range of APIs that enable strong authentication through a third-party interface, with authentication code validation remaining in control of the bank. This is known as the 'Embedded' mode. But without any industry-led standard for authentication it might not go any further, because Fintech apps still can't integrate many assorted authentication clients.
Banks should collaborate to define a common approach, at least at a country or regional level. There are two main paths they can consider:
- Identity Federation initiatives. These already exist in some markets, with mobile authentication applications such as itsMe in Belgium, Bank ID in Norway & Sweden
- An alignment on a strong authentication standard to minimize implementation burden and costs, as well as enabling a consistent user experience
The role of the FIDO Alliance
The FIDO Alliance is the world's largest ecosystem for standards-based, inter-operable authentication solutions. Beyond specifications, the FIDO Alliance defines a functional and security certification program that allows financial services providers to identify strong authentication solutions that meet the features and high security levels required to conduct banking and payment transactions.
Convenience has also always been a key focus of FIDO, who believes that the end-user shouldn't have to remember countless passwords to use online services. As you would therefore expect, FIDO standards have also embraced the use of biometrics in mobile authentication.
Additionally, the FIDO specifications have evolved to meet market needs. In particular, FIDO UAF is a turnkey standard that meets the RTS requirements for two-factor authentication and transaction signature. Additionally, the launch of a European workgroup was recently announced, whose number one goal is to provide guidance and support in the implementation of PSD2.
Although other strong authentication models may prevail in some regions and better meet specific market needs, FIDO has the potential to become a leading, global, strong authentication standard and should soon gain more visibility in Europe.
For Open Banking to succeed, it's critical that we see more standardization initiatives related to the deployment of strong authentication. That way we can combine the goals of both banks and Fintechs, and most importantly enable great user experiences which will define a new era of banking.
Emilie Casteran is Head of Digital Strategy – Banking & Payments, Gemalto.