PSD2 and open banking – a fraud prevention perspective
Fraud prevention expert Richard Harris of Feedzai looks at the ramifications of PSD2's faster payments and open APIs.
A fully-fledged, open banking ecosystem means moving into an era of financial services akin to the way big digital platforms like Amazon and Facebook operate. Banks and other players will try and unlock the value in our personal financial data; in the same way that Google discovers you're having a baby and sends you nappy adverts, so too your bank can use this information and offer you a loan for a new car.
Sharing this data and simplifying payment systems aims to benefit consumers. But it can also benefit bad actors. There's a lot of moving parts in PSD2, but from a fraud prevention perspective it's useful to consider it in two parts: a faster, frictionless payments architecture; and second, the open API part, which is most often talked about.
The first part is creating a European framework and mechanism to send money from account to account instantly, or as fast as possible. We have a bit of head start in the UK with Faster Payments, and this is also happening other places like Australia and the US. A cynical view would be that it's also a way for Europe to impose regulation obliquely on the card networks, but that's another story.
In terms of fraud, at a basic mechanical level this means that you've got faster payments running across the entire European network, which is a lot of countries, a lot of banks. Suddenly, there's lots of opportunity to move very fast, using bank transfers without the kind of clearing and settlement delays when transacting with a credit or debit card.
Fraud prevention veteran Richard Harris, SVP sales and international operations at Feedzai, said: "This is great for consumers, but it's also potentially an opportunity for bad guys. If I'm going to move money out of an account that isn't mine, I can easily turn that into cash and take that somewhere else.
"Money laundering and potentially removing the proceeds of crime from the financial market becomes a lot faster so covering up the process becomes easier. If I can potentially wire money through 27 different accounts in as many banks in Europe in just a few seconds, it becomes a real pain for somebody investigating this to follow the paper trail and get investigative teams involved."
Requirements on banks to screen for fraud and authenticate account holders and users are part of the legislation, which is a good thing. But the down side is that this creates friction and negates the whole point of the legislation, to make it easier to manage your money.
Striking a balance is complex. The reality is that if banks can hold fraud below certain limits mandated in the regulation, they don't have to do all the account authentication processes (e.g. 2 factor authentication) on certain payments. But if fraud cannot be held below a certain level, this will create friction on some classes of payments.
PSD2 combines the faster payments piece with a whole open banking system, allowing account data and information about accounts to move across that same network. At the end of the day, it's a data network and money is just data. If I want to open an account at bank B, and bank A has my credentials and my information, once authenticated the other bank can go and pull my data from their API and get my name, address, DoB and I can open an account with less friction.
Harris said: "That stuff becomes more of an issue because the question is, who's authenticated to go in the system and make those requests for that data. Some of that will rely potentially on certificates, rather than security processes.
"As soon as you open up these APIs in this kind of process, then the reality is that you are going to create some kind of risk. You have to then manage the policing process inside; what's the internal risk within the organisations that have access to this kind of data.
"GDPR hopefully helps to increase the security within those firms. But if vast quantities of that data can start flying around fairly quickly, and if the right security setup isn't in place then some of it's going to disappear."
Open banking goes hand in hand with predictive analytics, learning behavior patterns and spotting anomalies. This also helps targeting fraud risks. All the major banks in Europe are running some kind of data science or AI department now, noted Harris.
"Some of them are pretty sophisticated and they are doing that partly in response to fraud and risk, but also in response to customer service.
"The two things actually get a lot closer because you are looking at what customers doing, where are the issues or anomalies. Those issues might be positive ones; you are behaving in a way you didn't behave before because you are going to have a baby – and so therefore you're going to want to borrow money to buy a new car.
"Or it's because somebody has hacked your account and something bad is going to happen to it so that needs to be stopped.
"The challenge is that this is a very fast moving situation. As you get into this open banking space and PSD2, with these transactions moving millisecond by millisecond, the quantity of data involved is quite incredible."
Previously, policing this was based on day by day transactional stuff, so at the end of the day you do settlement processing and say if this account is in good standing or in bad standing. That's becoming a thing of the past; the future is going to be all about real time and so the challenge for banks is about how to manage all that data.
Harris pointed out that this is very different from testing algorithms in a lab. PSD2 involves a real-time firehose of data, so data science teams will have to be able test, train, and rebuild algorithms very quickly, to fail fast and try again in other words.
"It's not like you can sit there in the lab and grind away for hours to calculate all the data points. You haven't got four hours, when the payment's got to be somewhere else in five seconds, because that's what the legislation says.
"You need to be able to build, train, test and deploy algorithms quickly and efficiently. Realistically sometimes none of us know whether the data is useful or not, you just need a platform that allows you to take data and crunch it quickly and say does this data help me, if it does, how do I get value out of it?
"It's about building an algorithm with 50 outputs, five times a second or whatever, and to turn that into something that spits out a useful thing at the other end ... whether that's an alert to say stop this, or a text message to say why don't you buy one of these."