FinTech – between Open APIs and Strong Authentication at the time of the PSD2
The FinTech revolution is led by the PDS2 with banks as a platform facing legal risks due to open APIs and new strong authentication obligations.
The wave of FinTech and the reaction of traditional banks
I discussed the matter in a previous post. According to the estimates of Goldman Sachs, traditional financial institutions and banks might lose $4.7 trillion in revenue to the benefit of FinTech companies. FinTech firms are not expected to kill off traditional banks, but will act as disrupters cutting costs and improving the quality of financial services.
The reaction from the banking sector to the “wave” of FinTech has been to
- either adopt a protective approach, preventing FinTech start-ups to provide services to their clients;
- or to acquire FinTech companies;
- or to enter into partnerships with them where in most of the cases the final goal is to acquire them, if they see some value in them.
Open APIs obligation turns banks into platforms
Unfortunately for traditional banks, the EU Payment Services Directive 2 (PSD2) will introduce the obligation for entities like banks to allow authorised third party providers to
- have access to their customers’ account information and
- initiate payments on a customer’s behalf
under conditions that need to be objective, non-discriminatory (free of charge or at the actual cost) and proportionate, when explicit consent has been given by the customer.
The above obligation is usually translated in the obligation on banks to open their technical interfaces the so called (APIs) to third party providers. But, apart from the technical change, what sounds very interesting is that bank will become a platform for third party services. Indeed, rather than fighting against FinTech start-ups, banks will have to try to attract their customers also because of the services that can be connected to their accounts through third party providers which eventually might be acquired by them in some cases.
Are open APIs a risk of cyber attacks?
There is no doubt that open APIs creare an access door to bank accounts from outside the perimeter of banks, and this might create a threat for potential cyber attacks. According to a report by Symantec, there were more than 430 million new malware variants in 2015 with 318 total data breaches and more than 429 million identities exposed to cyberattacks.
And the above obligation will be introduced during the same period when the new EU General Data Protection Regulation (GDPR) with its massive fines up to 4% of the global turnover and reporting obligations in case of data breaches will become effective.
Both the PSD2 and the GDPR require to put in place “appropriate” and “proportional” security measures. But any reasonable security measure might look appropriate up until a smart hacker identifies a bug in the system and there are no software without bugs. Therefore, both under the PSD2 and the GDPR, it is more a question of being able to prove the performance of what was required under applicable regulations.
This is relevant also in the light of the privacy principle of accountability which places the burden of proof of demonstrating the compliance with the GDPR obligations on the party that is investigated.
The link between privacy and FinTech rules is further confirmed by the fact that the PSD2 lists privacy compliance as one of the requirements to be met by payment service providers. Therefore the regulatory approval of payment provider might depend on the presence of a certification of compliance with privacy laws or its absence.
Strong authentication as one of the “enemies” of FinTech
The second change introduced by the PSD2 that has been most highly debated relates to the strong customer identification obligation. This is defined by the PSD2 as
“an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data“.
This is a measure aimed at ensuring a higher level of security in payment transactions. And indeed the PSD2 obliges its implementation by payment service provider where the payer:
- accesses its payment account online;
- initiates an electronic payment transaction; and
- carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
The issue is that such security measure might prevent the performance of immediate payments that are the backbone of FinTech.
The position of the European Bank Authority on strong authentication
Because of the potential issues that might derive from the usage of the customer strong authentication, the European Bank Authority (EBA) has been working on regulatory technical standards (RTS) for strong authentication.
And, according to the final draft of RTS, the most interesting aspects are exemptions from the application of strong customer authentication on the basis of
- the level of risk involved in the service provided,
- the amount and recurrence of the transaction and
- the payment channel used for the execution of the transaction.
In this respect, the EBA has introduced two new exemptions:
- one linked to a transaction-risk analysis based on defined fraud levels and
- the other for payments at so called “unattended terminals” for transport or parking fares.
Additionally, the EBA has also increased the threshold for remote payment transactions exempt from strong customer authentication from € 10 to € 30.
The scope of the first exemption above is interesting, but shall be reviewed in practice. There might be services that are initially exempt from strong customer authentication, but due to the increase of potential frauds become subject to it. If this is the case, it might be a relevant cost for the industry.
This is an interesting topic and will see how it evolves. In the meantime, if you found this article interesting, please share it on your favorite social media. Also, below is a presentation (in Italian) that I gave on the topic
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.