Executive advisor and European TPP Association vice-chairman: „We need to find a way to avoid two factor authentication. We can’t just increase security by making customers do more.”

In a roundtable discussion held Wednesday in London hosted by digital payments firm PPRO, industry leaders met to explore the impact PSD2 has imposed on key players in Open Banking and the changes needed to achieve the regulation’s objective in 2020 and beyond, finextra reports.

On the issue of Strong Customer Authentication (SCA) and the complex task of balancing customer expectation with security, Ralf Ohlhausen, executive advisor and European TPP Association vice-chairman comments that “in the absence of better technologies we are putting the burden back on to the consumer. We can’t just increase security by making customers do more.

“We need to find a way to avoid two factor authentication (2FA) which still complies with regulation as SCA is just too cumbersome. There are methods to achieve this and if we want to be able to provide the ‘Uber’ experience we need to look to solutions such as behavioural biometrics.”

Demonstrating how cumbersome the SCA process can be for consumers, Ohlhausen points to the ongoing disadvantage between the payment initiation and the card world whereby making payments -particularly to countries outside of the UK- can require multiple, separate, 2FA steps to be made by the consumer.

Further, Third Party Providers (TPPs) who provide their platform in to countries which do not yet function through APIs must operate through an original interface which requires yet another SCA.

The rise of Technical Service Providers (TSPs) sitting as a middle layer between regulatory bodies and the deliverers of Open Banking products and services is illustrative of the need to manage this incongruence.

When questioned as to whether the growth of TSPs should be attributed to the lack of clarity surrounding PSD2 regulation, Jack Wilson, head of policy and regulatory affairs, Truelayer, says “these firms are seen as being enablers of Open Banking in the UK. While there may be an effort towards standardisation in the UK in light of Open Banking standards, OB standards have been implemented differently within and outside of the UK.

“If you’re a fintech who specialises in just providing a specific service, you don’t want to be maintaining connections into millions of API endpoints or screen-scraping.”

Turning to Payment Initiation Service Providers (PISPS), James Booth, VP of EMEA, PPRO comments: “there is a huge hole in the market for PISP services and that’s because launching such a service is a huge undertaking.

“You need demand on both the side of the merchant and the side of the consumer. In a market that’s becoming more and more fragmented it’s becoming harder and harder to launch a PISP service.”

On the PISP front, Ohlhausen states that developing this capability “is the closest to rocket science I’ve ever come across, as it has to be both frictionless and it has to be secure. To achieve these two elements without a contract with a bank is very difficult.”

Despite faster payment services in the UK, these payments are still not universally instant, and to find a way to mitigate the risk that initiated payments will not be executed is the ‘rocket science’ Ohlhausen alludes to.

For PISPs to minimise this risk regarding payment mitigation, ample data must be pulled from the consumer payment history so that a provider can make a judgment about whether the payment will or will not succeed.

“The problem with PSD2 in this circumstance is that it isn’t prescribing the banks to provide all of this data through their APIs. There is no recognition of the fact that a PISP needs as much data as the Account Information Service Provider and that’s where we’re lacking a lot of functionality” argues Ohlhausen.

Tom Catchpole, Open Banking lead, Account Technologies, explains that the current way Account Technologies mitigates its risk is through a ‘synthetic overdraft’ product which sits to the side of a customer account.

If the company judges that a customer will go over their unauthorised overdraft funds are injected into their account and the account holder is charged an interest fee for the service. This is an expensive way to mitigate risk, Catchpole contends, with Account Technologies spending between £3 million and £4 million annually across their customer base.

Catchpole continues, “if however, we could remove this fee and push the saving to the customer, we could charge them around half the fee we currently charge. PISPs are a solution that we could see ourselves using to remove this risk-minimising process, but at this stage we’re not willing explore it until we have a contract with the banks.”

On the topic of data credential sharing, Ohlhausen continues: “If banks were not forced by regulation to deliver APIs then we would not have them available. Even so, it’s naïve to think that APIs will be the dominating tool for data pulling in the future.

“What we need is to incentivise players to allow direct access to accounts through credential sharing which in the absence of APIs will be the key enabler for data sharing. Banks need to stop the witchhunt and demonising of data sharing because they’re shooting themselves in the foot – it will be the only way to access Big Tech data and achieve reciprocity in this environment.”

Comments – Steve Kirsch – Token, Inc. – San Francisco

We’ve had open banking for over 20 years now…it’s called the worldwide web. The problem was that it was targetted to humans. The goal of PSD2 should have been just to ask the banks to provide similar functionality, but computer-friendly APIs with digitally signed transactions signed in the user’s favorite signing app which uses the secure enclave of the mobile phone.

That is truly open banking. There was never a need for PISP/AISPs. This just adds a useless man in the middle that can be attacked, just like Mt Gox was a man-in-the-middle allowing mass theft and increases the costs and risks. 

I think it will take 10 years before people realize that they should just open up banking DIRECTLY to any digitally signed requests that the user has authorized the pubic key for, e.g., the public key of a corporate HSM. That’s when the magic will happen.