iWelcome is now OneWelcome. Visit us at onewelcome.com

All you need to know about PSD2: what is it and how can it work beyond the financial industry?

Jul 31, 2022 3:31:09 PM

Are you working in the financial industry? And have you not heard about PSD2? I doubt if you would find anyone who can answer “yes” to both of these questions. There is hardly any legislation that will cause as much disruption as PSD2. In the due course of this blog, I will outline: PSD2, its pillars & the GDRP paradox, thereby helping you not only be better prepared for this disruptive legislation but also think about using the ethos & spirit of PSD2 as a new business opportunity.

What is PSD2?

The new Payment Service Directive 2, often referred to as “PSD2”, is a legislation of the European Union which makes it mandatory for banks (Account Information Service Providers or AISPs) to provide the following three services (free of charge) to Third Party Service Providers (known as TPPs):

  • Account Information Service (AIS): Provide details of the account such as transactions, balance, details etc;
  • Payment Initiation Service (PIS): Initiate payments and retrieve information on the status of the transaction;
  • Confirmation of availability of funds (CAF): Check for availability of funds.

The TPP’s - with the consent of the account holder - can access the account/payment (XS2A) data at the bank, which allows them to offer new services that are not yet available/possible within the landscape of traditional banking. This means that new FinTech companies which are swifter in implementing new technologies and innovate at a faster pace than traditional banks will now be able to access all the payment accounts across Europe to make payments on customers’ behalf and also look at their transactions.

What is PSD2

PSD2 for banking as a model for other industries 

Some of the major objectives of this legislation are to open up the market and lay a ground for better collaboration, more innovation, competition in the European Payments market and increased Payments Security. Ultimately this would lead to more choices for the consumer with better & enhanced security. Although the legislation is aimed at and only legally binding for the banks, the idea behind it can be incorporated in any sector, especially in today’s time where consumers have a plethora of options to choose from, all digitally available at the tip of their fingers. In such scenario's, it's only natural for companies to collaborate sometimes (rather than compete).

PSD2 implementation is often spoken about in the same breath as API management. But it is not just that simple. In order to deal with the consequences of the legislation, organisations will need to make sure that the basis of their identity and security infrastructure is in place. I would like to highlight these 3 components that are often underestimated:

1. Identity & Access Management:

Identity & Access management is a crucial part to offer secure access to bank accounts (XS2A). The Third Party (TPP) can access the payment accounts data (resource) with the “consent” of the bank user (resource owner). Do these terms seem familiar? Yes, they form the crux of OAuth/OpenID specifications. Identifying the customer, storing the consent, allowing TPPs to access customer data based on fine grained access and managing the consents are all IAM focused capabilities.

2. Consent:

Consent in essence is the trust between the user and an organisation. For users, consent offers choice. Users have the ability to express their preference: allow the processing of their data, or not. GDPR defines consent as “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Users must be made aware of the consequences of their decision and how their data is or will be used. Consent also needs to be granular, meaning that different types of consent should be given for performing different tasks if data is used in a number of distinct ways. Consent in PSD2 must cover a wide range of attributes right from the TPP’s name, what data the customer wishes to share, how frequently, for how long etc. With so much importance defined around consent, it is no doubt the key to execute the legislation.

3. Strong Customer Authentication (SCA):

The legislation also emphasises on Strong Customer Authentication (SCA). This is to reduce fraud and make the financial services safer & secure. The customer can currently identify itself in the following ways:

  • Username/Password: Something which is expected only the customer knows;
  • Using a device: Usually a phone, which is expected to be only in the possession of the customer;
  • Fingerprint or face recognition: Something which biometrically establishes the identity of the customer.

Strong Customer Authentication enforces that you use at least two of the above methods to establish the identity of the user. Most of the banks implement SCA using what we know as Multi Factor Authentication (MFA).

PSD2 as a GDPR Anomaly?

We now see the first incidents where the EU has fined companies for violation of GDPR, which brings us to the paradox of PSD2 & GDPR. GDPR provides regulations to protect the privacy of consumers throughout the European Union. It prescribes rules for the processing of personal data; companies must be transparent about which personal information is collected or processed. At the same time, PSD2 talks about sharing the data which creates a certain ambiguity. For data control, GDPR requires the user consent to allow processing of data; on the other hand, PSD2 needs consent to share the data with TPP’s.

PSD2 as an opportunity in other sectors?

In spirit, the PSD2 like mindset of opening up to collaborate can also be implemented in other industries like insurance, retail, consumer goods etc. We live in an era where new technology disruptions happen in the blink of an eye, so the need for collaboration is higher than ever. Collaboration means opening up the services to business partners, customers etc. which brings in Identity & Access Management, fined grained Consent Management, GDPR compliancy, Delegated User Management with complex relationships and mandates, all of which are available under one umbrella within iWelcome’s CIAM solution.

Feel free to repost this blog on your website or social channels! But when you do so, please be so kind as to mention the source and give us a notice via marketing@iwelcome.com.

No Comments Yet

Let us know what you think