- About Us
Are you working in the financial industry? And have you not heard about PSD2? I doubt if you would find anyone who can answer “yes” to both of these questions. There is hardly any legislation that will cause as much disruption as PSD2. In the due course of this blog, I will outline: PSD2, its pillars & the GDRP paradox, thereby helping you not only be better prepared for this disruptive legislation but also think about using the ethos & spirit of PSD2 as a new business opportunity.
The new Payment Service Directive 2, often referred to as “PSD2”, is a legislation of the European Union which makes it mandatory for banks (Account Information Service Providers or AISPs) to provide the following three services (free of charge) to Third Party Service Providers (known as TPPs):
The TPP’s - with the consent of the account holder - can access the account/payment (XS2A) data at the bank, which allows them to offer new services that are not yet available/possible within the landscape of traditional banking. This means that new FinTech companies which are swifter in implementing new technologies and innovate at a faster pace than traditional banks will now be able to access all the payment accounts across Europe to make payments on customers’ behalf and also look at their transactions.
Some of the major objectives of this legislation are to open up the market and lay a ground for better collaboration, more innovation, competition in the European Payments market and increased Payments Security. Ultimately this would lead to more choices for the consumer with better & enhanced security. Although the legislation is aimed at and only legally binding for the banks, the idea behind it can be incorporated in any sector, especially in today’s time where consumers have a plethora of options to choose from, all digitally available at the tip of their fingers. In such scenario's, it's only natural for companies to collaborate sometimes (rather than compete).
PSD2 implementation is often spoken about in the same breath as API management. But it is not just that simple. In order to deal with the consequences of the legislation, organisations will need to make sure that the basis of their identity and security infrastructure is in place. I would like to highlight these 3 components that are often underestimated:
Identity & Access management is a crucial part to offer secure access to bank accounts (XS2A). The Third Party (TPP) can access the payment accounts data (resource) with the “consent” of the bank user (resource owner). Do these terms seem familiar? Yes, they form the crux of OAuth/OpenID specifications. Identifying the customer, storing the consent, allowing TPPs to access customer data based on fine grained access and managing the consents are all IAM focused capabilities.
Consent in essence is the trust between the user and an organisation. For users, consent offers choice. Users have the ability to express their preference: allow the processing of their data, or not. GDPR defines consent as “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Users must be made aware of the consequences of their decision and how their data is or will be used. Consent also needs to be granular, meaning that different types of consent should be given for performing different tasks if data is used in a number of distinct ways. Consent in PSD2 must cover a wide range of attributes right from the TPP’s name, what data the customer wishes to share, how frequently, for how long etc. With so much importance defined around consent, it is no doubt the key to execute the legislation.
The legislation also emphasises on Strong Customer Authentication (SCA). This is to reduce fraud and make the financial services safer & secure. The customer can currently identify itself in the following ways:
Strong Customer Authentication enforces that you use at least two of the above methods to establish the identity of the user. Most of the banks implement SCA using what we know as Multi Factor Authentication (MFA).
We now see the first incidents where the EU has fined companies for violation of GDPR, which brings us to the paradox of PSD2 & GDPR. GDPR provides regulations to protect the privacy of consumers throughout the European Union. It prescribes rules for the processing of personal data; companies must be transparent about which personal information is collected or processed. At the same time, PSD2 talks about sharing the data which creates a certain ambiguity. For data control, GDPR requires the user consent to allow processing of data; on the other hand, PSD2 needs consent to share the data with TPP’s.
In spirit, the PSD2 like mindset of opening up to collaborate can also be implemented in other industries like insurance, retail, consumer goods etc. We live in an era where new technology disruptions happen in the blink of an eye, so the need for collaboration is higher than ever. Collaboration means opening up the services to business partners, customers etc. which brings in Identity & Access Management, fined grained Consent Management, GDPR compliancy, Delegated User Management with complex relationships and mandates, all of which are available under one umbrella within iWelcome’s CIAM solution.
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind as to mention the source and give us a notice via firstname.lastname@example.org.