Are you ready for the security obligations of PSD2?

As we close out 2016 and welcome 2017 as a year fresh with promise, it’s impossible to ignore the fact that Europe’s new revised Payments Services Directive (PSD2) is a reality that still looms large and uncertain in our future.

Even if passporting isn’t negotiated as part of Brexit and as a result PSD2 doesn’t come to fruition (a distinct possibility), open banking is nonetheless here to stay. Frankly, it’s about time – the industry is long overdue for a more competitive environment. Open banking will encourage exactly the type of innovation necessary to stimulate the development of new business models, as well as a wide range of new banking services.

But are banks really ready for all of the ramifications that open banking brings? In many cases, the answer is a resounding ‘no’ – although not for the reasons you’d think.

While everyone has been talking ad nauseam about the innovation and competition aspects of open banking, one critical impact has been notably absent from the majority of discussions, and that’s security.

Open banking throws the doors wide open to sensitive, valuable customer data and payment infrastructure. It’s easy to overlook the security implications of that fact when access is only being granted to appropriately regulated organisations, but let’s be realistic. The industry is already in an arms race with hackers, fending off attacks of every conceivable type. Who knows what kind of havoc can be wrought with free access to customer data and an open payment infrastructure; things we couldn’t even imagine. There’s already been talk about the risks of fraudulent third-party providers (TPPs) – what next?

Convenience versus security

In fairness, one of the main goals of open banking is actually to increase the security of payments. PSD2 specifically includes key security considerations, such as mandatory use of two-factor authentication; security incident reporting to both regulators and customers; as well as mandatory security assessment reporting to regulators that addresses security measures and their effectiveness.

All this provides some level of reassurance, but it certainly doesn’t relieve banks of the responsibility of making sure that their systems are properly secured against the potential barrage of inventive new attacks that could come – for example implementing behaviour monitoring technology to ensure that incidents of fraud can be identified and stopped before doing any damage.

There’s no question that open banking will change the payments industry as we know it, promoting innovation and driving competition like never before. It will make payments easier than ever. But convenience shouldn’t come at the price of security. Banks need to seriously consider the security threats of open banking – and they need to prepare for those threats now, before it’s too late.

* For more on PSD2, click here.


Related reading