Consumers currently don't have much control over their personal data, which means that businesses and other organisations can gather detailed information on them for the purposes of advertising and fraud. But we're entering a new era where consumers can take back the power. With the advent of regulations such as the General Data Protection Regulation (GDPR) and the second Payment Services Directive (PSD2) – each coming into force in 2018 – consumers will have more choice over when and how companies collect data on them, as well as in how they pay for goods and services online.
GDPR, in a nutshell, will give European consumers more control over their personal data and the information organisations can collect on them, while also setting out regulations to enforce better protection of such information. GDPR specifically stipulates that, when it comes to organisations gathering or sharing information on consumers, "opt out" measures are no longer sufficient. Instead, consumers will have to "opt in" to share their information or receive communications, and they will be able to expressly say whether or not their data can be shared with third parties.
The second Payment Services Directive (PSD2) will fundamentally change how consumers access their financial data as well as how, and with whom, they transact. At the moment, consumers holding accounts at multiple institutions need to log into each account via that institution's digital interface, whether this be via a mobile app or an online portal. But to promote competition in financial services and improve ease of use for consumers, PSD2 makes provision for data aggregators, which allow for a single view of accounts at multiple providers (insurance companies, payments services, credit card issuers, mortgage lenders, etc.). All account information, all financial products, and all transactions will be visible on a single dashboard. To make this possible, PSD2 will require banks and other financial service providers to open their data and payment initiation capabilities to third parties. In this way, PSD2 will open banking, offering consumers more freedom not only when it comes to accessing and sharing their financial data, but also for engaging in financial transactions.
This freedom, however, does not equate to less security. Quite the opposite will be the case, in fact. PSD2 will enforce improvements in security measures, including requiring banks to put Strong Customer Authentication (SCA) methods in place. Multi-factor authentication, where at least two authentication factors from different groups are used (the groups being something a consumer has, something they know and something they are), is commonly regarded as the industry standard in terms of SCA. When authenticating a transaction, the consumer will then have to provide at least two authentication factors from different groups.
It would be easy for banks to have misgivings about these new regulations, but there is no need to fear. Although there is a perception among retailers that consumers tend to resist new technologies and extra "steps" in payments processes, recent research has indicated that consumers actually do want to take control of the security of their personal information.
If implemented with security and user experience in mind, the changes introduced in accordance with the new regulations, especially SCA, could present an opportunity for a bank to instil customer trust, leading to an increase in the number and value of transactions even as fraud is effectively eliminated.
One way of providing an authentication measure that is simultaneously secure and less disruptive to the consumer, is by utilising the power and ubiquity of the mobile phone. Rather than requiring consumers to rely on one-time passwords or additional security tokens that are less secure as well as cumbersome, mobile phones can be used as one factor of authentication in a SCA implementation. Imagine a scenario where a consumer initiates a purchase online and, in order to verify that purchase, an authentication window pops up on their mobile phone. All the consumer need do is tap accept or reject on the device to verify the transaction. It is a quick and seamless interaction that leaves them feeling empowered and reassured.
Just as important as the consumer's perception of the authentication process is the fact that using a robust SCA solution does ultimately reduce financial fraud, which in the UK cost households £2.1m every day in 2016. It's no wonder that newer, tighter regulations are being put in place to help reduce this unnecessary expense and prioritise consumers' security.
Banks that embrace the new regulations with a smart, innovative and customer-centric approach will reap all the rewards, from better customer satisfaction to lower fraud levels: security and privacy can be a win on all fronts.
Frans Labuschagne is UK & Ireland country manager at Entersekt