The European Union’s revised Directive on Payment Services (PSD2) is more than a complex compliance project; it will usher in years of dynamic market change. PSD2 went into full effect on 14 September 2019, but the European Banking Authority extended the deadline for strong customer authentication or SCA until 31 December 2020.

Indeed, Article 9 appears to negate the use of short messaging service (SMS) one-time passwords (OTPs). OTPs are delivered to mobile devices over open mobile networks, where they can be intercepted and altered and are largely unprotected on the device. Worse, OTPs are entered into the same potentially compromised mobile browsers or apps through which transactions are initiated, failing the RTS’s requirements for the separation of elements.

Deloitte stated the problem in broader terms: "Importantly, the RTS requires PSPs to ensure the independence of all the elements used in the SCA procedure and the channel, device or mobile app through which the authentication code is generated and received to be 'independent or segregated' from the channel, device or mobile app used for initiating the electronic payment transaction.

"This will pose challenges both technically and commercially. Technically, PSPs will need to ensure two different applications/channels are used to separately initiate payments and generate authentication elements (for example by requiring users to install the relevant bank “app” on their phone or carry a token generating key). Commercially, the challenge will be to do so with as little inconvenience to the user as possible, as cheaply as possible, but better than competitors."

This can and has been done, however.

The future and the naysayers

Bureaucrats regulate, businesses innovate, but it is ultimately consumers who determine which self-service technologies prevail. We know from decades of progress in digital service provision that people invariably opt for pared-down, intuitive experiences that save time and avoid uncertainty. Winning software keeps users informed and in no doubt of what to expect next. Every interaction is designed to foster a sense of control.

With PSD2, consumers can expect a flood of new authentication prompts from a wide range of sources, both legitimate and fraudulent. That they will play a more active part in securing their money and personal data through SCA is no longer a matter for debate; they will. The real question is how financial institutions, payment providers and data aggregators can make the process easier for them.

Many organizations have warned that PSD2’s SCA requirements will hamper people in their quest to adopt channels and will damage the payments ecosystem. Visa reported that 61% of consumers that it surveyed were willing to abandon online purchases if additional steps were introduced at the point of 'checkout.' E-commerce Europe, a trade body, said: “mandating SCA as identified by the EBA...is likely to slow investments in innovation, prevent competition and ultimately offer worse online payment fraud protection to consumers.” Mastercard worried that “an intended fraud prevention technique, if not implemented correctly, could rapidly become a business prevention technique.”

It is entirely possible to quicken the adoption of channels with a low-friction, predictable means of approving payments and third-party access to accounts in real time. Well-engineered authentication is now on the market and can boost trust in brands and channels, make customers more loyal, lower costs, increase revenue and increase the sources of revenue.

The lessons of 3-D Secure

3-D Secure, which provided a mass market mechanism for SCA of the kind PSD2 requires, offers us some lessons about how to square usability with security.

European consumers are already familiar with SCA, the application of which became mandatory for many sensitive digital transactions after the passing into law by SEPA states of the EBA’s “Guidelines on the security of internet payments” of 2014. The majority of online shoppers in the Benelux countries, Italy, Switzerland, and the United Kingdom now secure their card-not-present purchases using 3-D Secure, an XML-based protocol designed to be an additional security layer for online credit and debit card transactions that was widely adopted as a result of the guidelines.

Merchants continue to resist 3-D Secure bitterly in more lightly regulated jurisdictions than the European Union. They believe that it introduces unnecessary friction during the critical last stage of the checkout process, increasing "shopping cart abandonment," to use an ugly phrase. Even in Europe, where it is by now a fact of life, consumers find most implementations frustratingly time-consuming and cumbersome.

When shoppers forget their 3-D Secure static password or find the process of entering an OTP too clumsy, they abandon their carts. Those less familiar with the process are often confused or apprehensive about the sudden redirect to an unsophisticated authentication screen with strange new logos. A pause in the transaction provides room for second thoughts.
These are problems for anyone who shops on a computer, but the frustration that people experience in securing payments at the desktop is multiplied when attempting the same actions on a mobile device’s smaller screen and touchpad. That’s a problem for service providers that have not optimized authentication for the mobile phone, and one that will grow more serious under PSD2.

Most digital exchanges that European consumers will have with financial institutions and third parties after PSD2 will be conducted on the mobile phone, which means that the example of 3-D secure is very relevant to the problem in hand. There is, however, software on the market to deal with it.

When a bank can uniquely identify a customer-held mobile device with a digital certificate and can ensure that only the owner can access sensitive communications to it, it has the most reliable authentication factor – possession – covered, and with zero effort needed from the bank's customer. The second factor can be a biometric or simple personal identification number (PIN) capture. This combination achieves not only the strong security that the RTS calls for but a low-friction user experience. All the user has to do is touch a button in a simple user interface on a secured device that he carries with him everywhere.

The future is built on trust

Once PSD2 comes fully into force, work will begin on annual updates and its eventual replacement by PSD3 in five years’ time. The RTS will be superseded by stricter regulations, many of which will be inspired by trends in other parts of the world or will take stock of the varying experiences of SEPA (Single Euro Payments Area) member-states as they grapple with the practicalities of PSD2, the General Data Protection Regulation and other mega-regulations. Banks and other service providers should invest in technology that will adjust to future revisions of the RTS.

Many FinTech companies say that “people need banking, not banks.” They have a point, but what people need more than banking is trust. With so many new payment platforms and financial service providers entering the wealth management market, where do people go to secure their identities, personal data and accounts with confidence?

Private banks have long maintained this function, which gives them an enormous advantage over non-traditional market entrants in the world of PSD2, but lead of banks in general is slipping. A survey by PwC’s strategy consultancy in 2016 found that the majority of Europeans (88%) already used third-party digital payment services and that they rated their security extremely highly. 82% were certain that PayPal, Amazon and other alternative payment providers transferred money as safely as their banks did.

Although banks held a large lead in the provision of banking apps, consumers were less convinced about their security. Only 32% used banking apps, with 34% of those who did not use them expressing unmet security concerns.

Figures like these neatly encapsulate the pitfalls and opportunities of open banking, especially for incumbents. Private banks could lose their grasp on "primary customer relationships" to interlopers and become “dumb pipes,” as they are called. On the other hand, if they respond to PSD2 with some ambition and long-range planning, they could become providers of attested information services and central cogs in the "value chain of payment initiation and account information delivery."

Once established as the trusted keepers of their customers’ digital assets, banks could become disruptive forces themselves. They might offer services beyond their traditional remit. Let us look forward to the day when your private bank services its customer several times a day, in all sorts of new ways, but with a secured mobile app at the core of the relationship.

* Entersekt can be reached at info@entersekt.com