PSD2 and fraud: what banks need to know
New regulations on data access and protection mean that banks need to review and adapt their fraud protection systems now, writes Francis Chlarie.
European banks are in a quandary. On the one hand, they will be obliged to open up bank account data to authorized third parties from January 2018, when the Payment Services Directive 2 comes into force. On the other, they are being asked to comply with the tough new General Data Protection Regulation, which will become law the following May.
How will banks reconcile the imperative to share customer data with the obligation to protect that data more securely? How will they protect their customers from fraudsters posing as bona fide service companies?
These imminent changes are putting a big burden on banks’ compliance departments.
The major focus for banks today is PSD2. They have just a few months to get their systems in shape to provide account and payment access to authorized third parties in a secure way. Unless they can effectively address the increased risk of both fraud and data breaches, they will suffer huge regulatory fines as well as the inevitable erosion of trust.
Today, banks have a relatively straightforward one-to-one relationship with their customers. Post PSD2, they will be involved in many more relationships through third parties. Yet at the end of the day, banks will remain liable for all customer-initiated transactions. So they need to ensure the legitimacy of any third party accessing data. If such data is subsequently misused, the bank will be liable.
The stakes are high. Banks must be able to show that they have done all they can to protect their customers’ data. There is no time to lose. Banks should now be testing their current anti-fraud mechanisms – if they haven’t done so already – to ensure they are ready to face this brave new world.
When it comes to fighting fraud, banks are already having to monitor a far broader landscape. Instant payments and the introduction of 24/7 banking come into force in November this year, meaning that banks are processing far more transactions. Factor in third parties and the application programming interfaces they will use and the risk landscape expands considerably.
How will the entry of third parties complicate the risk picture? To begin with, requests by third parties may be susceptible to fraud powered by malware. Fraudsters could also use a legitimate access as an obfuscation layer to confuse banks’ fraud defenses.
In fact, any new digital channel carries inherent risks. Fraudsters could seize the opportunity to impersonate genuine customers, harvest their information and use it to open fraudulent credit accounts in their name.
Given that fraud detection systems are already under great pressure, what can banks do to ensure they are fit for purpose?
They could try scaling up their current systems to cope with the extra volumes, but this is likely to become uneconomic very quickly. The alternative is to reduce the number of transactions that must be monitored by changing the rules – increasing the number of exemptions.
The European Central Bank has already acknowledged the onerous new responsibilities being imposed on financial institutions. To ease the burden, it has drafted a list of new exemptions so banks don’t have to check that every access request is legitimate. These include a 90-day exemption period following authentication for viewing balances or transactions; contactless card transactions of less than €50 up to a cumulative limit of €150 or five transactions; card transactions at parking meters and toll gates; payments from and to accounts owned by the same user; payments to a previously created beneficiary; and low-value transactions of less than €30 until the cumulative total exceeds €100 or five transactions.
These exemptions will significantly cut the surveillance effort, keeping costs down. But even within these fixed exemptions, banks need to show that the risk score is acceptable. Banks will be required to demonstrate that their fraud-detection analysis covers issues such as abnormal patterns of spending; payment history of the user and the user population; location of the payer; location of the payee account; lists of compromised or stolen authentication elements; payment amount; known fraud scenarios; unusual information about the device or software; and signs of malware infection.
In order to combine the necessary risk analysis with the exemptions and remain compliant with PSD2, banks will need fraud-detection engines that combine different sources of information – both internal and external – with behavioral analytics and cover long periods for unique accounts.
For big banks, the resources to meet the new regulatory and anti-fraud requirements are within their grasp. But small and medium-sized banks will almost certainly need help – and need to get moving now. There’s a lot to take in and a lot to accommodate to make sure their customers can experience the benefits of open banking while enjoying excellent data protection, yet also ensuring that banks remain compliant.