The EU’s second Payment Services Directive (PSD2), coming into effect in January 2018, is fast-approaching and so is the CMA’s Open Banking initiative in the UK. With regulatory changes underway, designed to give users control over their banking data, retail banks and financial services are under pressure to defend their position as the number one provider of banking services.
The expected shift in control over banking data forces providers of banking services to undergo a fundamental digital transformation to ensure they have the technical capabilities to meet the new requirements and the ability to compete with new players that might enter the financial services stage to introduce new services and business models. While these are certainly challenging times for traditional banking players, the opportunities that arise from this industry transformation are manifold certainly have the potential to shake up financial services as we know them.
Traditionally, the banking sector has wielded an extraordinary amount of power over consumers with the effect that there was little pressure to develop new services to compete for customers. The lack of competition specifically in retail banking meant that consumers were unable to benefit from new banking services and ended up paying more than they should. In the UK, the Competition and Markets Authority (CMA) has defined a set of measures to enable challenger banking services to emerge and increase competition. The most important of these measures is Open Banking.
Under Open Banking, the nine largest banks in the UK (The CMA 9: RBS, Lloyds, Barclays, HSBC, Santander, Nationwide, Danske Bank, Bank of Ireland, Allied Irish Bank) must enable customers to share their data with other banks and third parties in a secure way. This is aimed at fostering digital change, enable new types of banking services and thereby increase competitiveness in the sector.
In a very similar way, the EU’s amended payment services directive (PSD2) is concerned with increasing digital competitiveness and consumer choice by forcing banks to allow customers to share their data with Account Information Service Providers (AISPs) and enable online and mobile payments by Payment Initiation Service Providers (PISPs). PSD2 has significant overlap with Open Banking, and many believe PSD2 requirements can largely be achieved through the use of Open Banking.
When these regulations are due to come into force in 2018, they will together herald a new era of digital financial services and entirely new ways of banking. In practice, they must be underpinned by the principle of customer consent in order to enforce who can access your information and what they are permitted to do with it.
Data and consent at the core
At the heart of open banking is the issue of user consent. For the first time, customers will control their banking data and be able to choose who gets to access it and for what purpose.
On the implementation side, banks must not only ensure customer data is secure but adhere to customer access instructions in a consent-driven way. For third-party service providers such as retailers and account aggregators, it means they must become identity enabled to partake in the benefits of this new world. As an added layer of complexity, the imminent arrival of the GDPR means you will also have to ensure that users can revoke their open banking consent at any time.
Customer consent has been one of the main challenges to solve. How can users consent to the sharing of their data and the execution of their payments? And how can this be implemented before the early 2018 deadline? ForgeRock has been working with Payments UK and the Open Banking implementation entity in the UK to define the technical standards for open banking.
For instance, many third parties currently make use of “screen scraping” techniques to access customer data, though this is rarely officially supported by banks. This approach requires the customer to share their login credentials for the bank and effectively scrape the data from the page by simulating the user’s behaviour through the website. It is one aim of PSD2 to prevent such approaches in favour of properly secured APIs.
APIs: an open approach to access and authentication
What is needed to make this new open approach work is a consent driven mechanism to invoke banking APIs securely. The OAuth2.0 authorisation standard has solved this problem by enabling users to consent to an application acting on their behalf without sharing their credentials with the application. Google-Drive would be typical example for this: You would be able to connect to your Google-Drive account through one of the many third-party Google Drive-related applications without that app needing to know your Google credentials.
OAuth is a potential solution for authorising access to specific account functions such as reading a statement or making a transaction. The recently launched banks Monzo and Starling Bank are both using it today for exactly this purpose.
However, OAuth isn’t designed to enable consent for dynamic items, which is required for functions such as online payment where values vary each time. OpenID Connect (OIDC), which builds on top of OAuth, enhances its abilities. It’s typically used for federation authentication (e.g. Login with your Google Account) however OIDC is more than just an identity layer: Importantly for Open Banking, OIDC not only defines a variety of standardised security tuning features on top of OAuth, it also defines a mechanism for the sort of consent we need to implement dynamic payments.
The use of OIDC was formally recommended by the Open Banking Work Group for implementing open banking in the UK. Anyone who wishes to enter the open banking ecosystem must be OIDC enabled, including banks, aggregators and any third party that wants to partake in the open banking ecosystem, including retailers who want to process open banking payments.
Such access to banking data and functionality is unprecedented and security is of paramount importance. In terms of regulatory technical standards (RTS) PSD2 defines a number of them, with the Strong Customer Authentication (SCA) being of particular importance. Third parties will rely on this as part of the OIDC flow when customers are redirected to their banks to authenticate, but the cost and responsibility for implementing SCA will fall upon the banks.
The SCA and RTS cover elements such as two factor authentication in this context. Authentication is then comprised of two of the following: knowledge (something you know), possession (something you have) and inherence (something you are). The RTS also suggests certain risk factors such as location, transaction history and spending patterns among others, that should be monitored and factored into authentication and authorisation decisions.
Positives, negatives and opportunities
Large banks will need to ensure they have the capabilities to comply with the regulation and provide the sort of banking experiences that customers will expect, as more dynamic and agile competitors enter the market. Smaller challenger banks have an exciting opportunity to provide seamless banking experiences and compelling new services and steal market share from the more established players. Beyond banking, if you are a retailer of any kind and you will need to be identity-enabled in order to allow your customers to pay with open banking. Open banking is a mere seven months away and it is going to radically alter the banking and fintech industries forever, undoubtedly bringing challenges for established organisations but also offering a whole new world of opportunity for those who can adapt effectively to these changes. Whatever your business, open banking promises to significantly shake up the banking and payments ecosystem as we know it.
Nick Taylor, Director Customer Engineering at ForgeRock
Image Credit: MaximP / Shutterstock