How Raiffeisen Italy achieved PSD2 compliance with mobile authentication & mobile app shielding

Article written by OneSpan Inc.,  a global leader in software for trusted identities, e-signatures and secure transactions. More than half of the world’s top 100 global banks trust OneSpan to keep their customers and transactions safe. OneSpan is one of the main partners of Banking 4.0 – international fintech conference.

Raiffeisen Italy is the umbrella organization for 40 entities of Raiffeisen Bank in the Italian province of South Tyrol. Overseeing the IT services for these member banks, Raiffeisen Information System CIO Alexander Kiesswetter modernized Raiffeisen Italy’s authentication system to comply with the revised Payment Services Directive (PSD2). As part of that initiative, Raiffeisen Italy introduced a standalone mobile app that authenticates and secures users – built using the OneSpan Mobile Security Suite and white-labeled with the Raiffeisen brand.

While PSD2 compliance was the main driver, the rapid adoption of digital and mobile banking made it important for Raiffeisen Italy to offer both strong security and an easier user experience. Simply put, customers no longer want to pull out their bank card and hardware token for every small transaction – preferring instead to authenticate through their mobile device.

“Mobile-first is an important part of our digital transformation strategy. For the first time, we have a solution that enables us to move services completely to the smartphone without using other hardware tools for the authentication. Now, we can use not only the PIN for the authentication, but also Face ID and Touch ID,” Alexander Kiesswetter says.

PSD2 Compliance Requirements
As the CIO, Alexander Kiesswetter faced two challenges: PSD2 compliance and a legacy authentication system that customers found difficult to use.

PSD2 compliance is a key priority for financial institutions (FIs) across Europe. FIs need to comply with the requirements for Strong Customer Authentication and Transaction Risk Analysis. In addition, Raiffeisen Italy had to meet two other PSD2 requirements:

Dynamic Linking: For remote payment transactions, PSD2 requires that FIs apply authentication that dynamically links the transaction to a specific amount and payee. Throughout the authentication process, the confidentiality, integrity, and authenticity of payment information needs to be protected, and the user must be made aware of the amount and the payee.
Replication Protection: If a bank chooses to use a mobile app as a part of their authentication flows, they must take action to mitigate the risk of an attacker reverse engineering the app to uncover and potentially reproduce the token secret used to generate an authentication code. Therefore, FIs have to protect the possession element (in this case, the app) against cloning.
Further, the bank wanted to provide an easier authentication experience for customers. The problem was, they found themselves in the conventional tug-of-war between security and ease of use – with security winning at the expense of customer experience. While their legacy authentication system was very secure, customers complained it was burdensome.

“Until we started using OneSpan, our attention was focused on security. That’s why we used separate hardware tokens with bank cards, because we weren’t convinced that an alternative would give us enough security,” says Kiesswetter.

Evaluation and Selection
For Raiffeisen Italy, choosing best-of-breed technologies through the right network of IT security partners, is core to their success. An in-house build was never an option, so the CIO tasked two teams with evaluating solutions:

For authentication, a group of IT technicians made the software selection.
For mobile app security, the evaluation team included the CISO, an IT Architect, and representatives from the risk and compliance, software development, and customer support teams.
“During the selection process, we evaluated several companies. The big difference we saw between OneSpan and other vendors was OneSpan’s solutions combine a high level of security and compliance with a high level of usability.”

A Dual Solution
Using the OneSpan Mobile Security Suite library of APIs, Raiffeisen Italy added transaction signing to secure customers’ online transactions against fraud. They also integrated mobile app shielding to protect their mobile authenticator app.

“We selected OneSpan’s innovative solutions because they provide a high level of security and a high level of usability. Traditionally, it’s very difficult to combine security and usability – until now, it’s always been a trade-off. We wanted to innovate and simplify the customer experience. With this project, we were able to do that,” says Kiesswetter.

The OneSpan solution enabled the bank to comply with the PSD2 requirements for:

Dynamic Linking: The bank implemented Cronto® technology, which uses a graphical cryptogram made of colored dots to encrypt transaction details. Used by banks throughout Europe and around the world, Cronto meets the PSD2 authentication and dynamic linking requirements for securing financial transactions with minimal impact to the user experience.
See a sample transaction signing experience >>

Replication Protection: As part of its mobile-first strategy, Raiffeisen Italy launched a mobile banking application that authenticates and secures users. The bank took a leadership role as first-to-market in Italy to protect its app with mobile app security – specifically mobile app shielding with runtime protection. This technology protects a mobile app against several types of runtime threats. It creates a secure execution environment for mobile apps, allowing them to be executed even on untrustworthy mobile devices.
Watch a mobile app shielding video >>

The Benefits
Raiffeisen Italy has received positive customer feedback and experienced high adoption of the new authentication app.

“Customers perceive Raiffeisen once again as an innovative bank,” says the CIO. “The feedback that reached me is that customers are very satisfied by the new functionality. We also ran a marketing launch for the new authentication app. When we launched it, there was much demand and high activation, all positive signals from the market that they accepted it very well.”

“My advice to other banks is to start their digital transformation on the front lines, at the touchpoint with the customer. That is where the innovation is most important.”

This blog is excerpted from the full Raiffeisen Italy_Case_Study entitled Raiffeisen Italy Implements Mobile Authentication & Mobile App Shielding for PSD2 Compliance and Ease of Use.