PSD2's long shadow casts doubt over US fintech security
So says Seth Ruden Sr. fraud consultant at ACI Worldwide.
The power and functionality contained in smartphones and other digital devices in 2017 is evidenced by their ability to enable purchases, conversations, research and more.
Among the array of applications on offer via these gadgets, FinTech companies, including Betterment and Mint, provide financial services ranging from robo-advised brokerage accounts to automated savings tools and loan-refinancing options. While varied in nature and function, the majority of these apps require customer banking data to verify and complete transactions. This information is thrusting service technology into new, diverse areas.
The context
Behind the scenes, however, not all is rosy. The influx of services to the online marketplace coincides with an uptick in the number of disputes filed, as malicious parties look to capitalise on advances in technology and an increasingly active mobile banking population.
Amid the chaotic scramble for opportunity, fraud has found a foothold and exploited the gap; capitalising onthe lack of a 'gold standard' in the US for third-party applications that can securely integrate into existing payments streams. This is an unfortunate product of the unique enrolment processes and limited formal requirements that dwell within the FinTech industry.
If an implementation oversight exists or our device experiences an error or a breach from any number of potential failure points within the software — such as in provisioning the application to the device, entering payment credentials or in the process of authenticating a payment — the impact could be disastrous. Restaurant apps become vessels for money laundering, while ride-hailing services might take fraudulent "test" cards for a spin. Our payments paradise becomes the Wild West.
Amid the sharing economy's rise and a growing reliance on online services, data has become a valuable commodity; one that the current model of data ownership, permissions and usage cannot yet fully capitalise on.
The Consumer Financial Data Rights Group (CFDR) is already campaigning for a new paradigm, one that enables access to consumer data among FinTechs, banks and consumers. The group argues the sharing of information will help achieve common goals across organisations, like building a more efficient financial ecosystem to encourage greater digital commerce. Similarly, a proactive desire to empower payment service users' identities using knowledge, possession and biometric-based authenticators will address some of the customer trust issues that stop 65% of global consumers from using a vendor again following a data breach (Source: Global Consumer Survey: Consumer Trust and Security Perceptions).
The shadow
Across the Atlantic Ocean, institutions are already making moves to turn this data-sharing society into reality.
The revised Payment Service Directive (PSD2), or the new road map, is a European standard that forms a standard baseline for data security to keep it clean and secure. It mandates strong authentication protocols for more accurate identity validation during transactions, stimulating competition by giving FinTech companies direct access to customer data to process payments.
The magnitude of change within PSD2 will unify Europe's payments market, while taking strides to secure it. Residual benefits include greater efficiency, informed consumers and a confident customer base willing to adopt these technologies.
While many countries abide by susceptible username and password combinations, the PSD2 train marches on, promising effective and balanced controls for the next-generation of payments. Revisions to the Payment Services Directive are already catalysing open banking—the sharing of customer data with third-party companies at the customer's request.
The solution
US financial institutions should look at PSD2 as an opportunity to refine U.S. data protection methods, security protocols and risk governance frameworks today. If not, our financial ecosystem risks being left behind by alternative services overseas that choose to leverage PSD2 compliance and modernised protection standards as competitive advantages and building blocks for further products.
A good starting place is creating secure, open application programming interfaces (open APIs), systems through which banks can share customer data with third-party services on a selective basis to build applications. Collaboration also affords large financial institutions an early-stage opportunity to invest in the FinTechs using their own capital, or provide a more expansive supply of customer data.
When built in collaboration with reliable vendors, a standardised open API framework reduces the security vulnerabilities and inefficiencies that exist in today's enterprise architecture–such as the screen-scraping technology currently being used to collect user data by third-party companies.
From a customer experience standpoint, this dynamic would give banks–which are better equipped to protect sensitive personal information–the ability to vet a FinTech organisation's security measures in a test environment before sharing real customer data. In turn, effective security measures and the applications abiding by them can scale up and gain merchant support at a faster pace, buoyed by stricter security standards required within chartered banks.
Ideally, this co-existence will foster dialogue around creating standards for data security and incident reporting across the industry.
In contrast to voluntary collaboration, a mandated U.S. equivalent PSD2 would put FinTech innovators at a disadvantage to their non-chartered counterparts when creating digital banking services and using aggregation for wealth management and other business lines. To avoid the regulatory restraints that encroach on market share in a new era, and to remain competitive on the global fintech front, banks need to foster mutually agreeable and favourable conditions that meet FinTech firms halfway while encouraging secure, consumer-friendly innovation. The Federal Reserve's Secure Payments Task Force is making recommendations, and they may create the environment that fosters us to reprioritise US payment security standards.
Regardless of the outcomes of this battle over digital banking transformation, it's in the interests of US banks and FinTech companies to reassess security parameters for access to customer data. Banks should consider voluntarily ceding their financial data to third-party companies, focusing less on opposition and more on feeding this information securely to stay comparable with European financial institutions.
Our faith in digital payments is keeping us on track for further innovation, while our device continues to fascinate with a cascade of new features. The U.S. must follow suit on introducing security best practices to protect consumers and compliment the science of technology innovation.
Seth Ruden, Snr. Fraud Consultant, ACI Worldwide
© Copyright IBTimes 2024. All rights reserved.