IMPACT OF NEW REGULATIONS/ LATEST DEVELOPMENTS IN PSD2, OPEN BANKING & GDPR
PSD2: Strong Authentication in the Customer Journey
PSD2 is about introducing innovation and competition in the market. Innovation will succeed if the customer journey is satisfying. The authentication part is going to play a major role in the customer journey. There are two ways in which authentication is going to be implemented:
- The redirection model: the customer journey starts on the TPP interface and is essentially web based. The user must authenticate before being redirected to the bank user interface for that purpose. He is then redirected to the TPP interface to complete the journey.
- The decoupled model: the user journey starts for example on a PC to the point of authentication. A push notification will be sent to his smartphone, where he will authenticate using his banks application. This model uses two devices, one where he transacts and one where he authenticates.
There are benefits and inconveniences using these approaches:
- Advantages: it allows the bank to use what it’s going to put in place anyway to authenticate its users. It also scales in the sense that you are no dependent on any other party to put in place this method. It is in line with current practices and reuses industry practices, because everywhere when you authenticate, you use the interface offered by the service. Banks are trusted by consumers, who prefer to authenticate the party they trust.
- Disadvantages: if things are poorly integrated, from time to time, the user might need to take three different devices and do something different with each one in order to access his accounts. This can be problematic because every new click is a chance for the consumer to abandon.
In order to manage the customer journey, biometry is going to help, especially using the decoupled model. It can simplify the user journey to a great extent. You could have a one step authentication whereas OTPs will introduce a three steps authentication. But biometry alone isn’t enough, because you still must prove possession of the device, which requires cryptography.
The European Commission introduced a last-minute change with notion of obstacles. There shouldn’t be obstacles on customer journey. There are two other models of authentication:
- The embedded model: the user journey entirely takes place into the TPP interface, it can be on one or two screens. You are on the TPP interface, but you are authenticated by the bank. It’s simple to implement but not in line with customer education, because they never give their credentials into other platforms.
- The delegated model: it’s entirely in the user interface of the TPP but this time, the authentication is done by the TPP itself. But how does the TPP convey to the bank that the authentication was done properly according to its security policy? Besides that, in case of fraud, the bank is responsible.
Impacts of PSD2' Strong Customer Authentication Requirements on e-Commerce and the Mastercard Digital Security Roadmap
Mastercard is currently looking at three types of KPIs:
- They try to reduce as much as possible the abandonment rate about CNP types of transactions. The level of abandonment rate is about 20% in Europe, so it is one of the biggest challenges.
- Comparing the approval rates during the payment flow. There is a big difference between the physical environment and the virtual environment.
- The level of fraud we are experiencing is about ten times superior in virtual than in physical.
To achieve those goals, Mastercard defined four main actions:
- Leverage the SCA exemptions
- Launch and develop biometric authentication
- Even if exemptions are leveraged, the issuers will always be able to finally decide if they are accepting the acquirable exemption or if they decide to step up and go through a challenged transaction.
- By leveraging the IMVU 3Ds specifications, there will be much more information sent by the merchants to the issuers. So, Mastercard will derive risk scores based on the authentication data that provided by the authentication messages or flows, and the authorization flow for payment.
A few challenges are encountered by the company:
- A large majority of issuers said if IMVU 3Ds isn’t used and the authentication process isn’t leveraged, they will systematically decline.
- About 75% of merchants have never heard about PSD2 and SCA requirements, which is a major problem. Mastercard manages the top 50 to 100 super big merchants, but what about the other ones?
- We will have about 20% of all e-commerce transaction that will be off session transactions.
- Mastercard is still questioning the EBA and SMS OTP. Should it be used for strong authentication with card data or whatever other types authentication methods.
- Up to 75% of authentications fail because of card holders not being enrolled.
Open Banking Producers, Distributors, Aggregators: Mobey Forum Charts Strategic Options for Banks in the Post-PSD2 Age
Open banking is a philosophy and a transformation. At the end of the day, you will need the costumer consent to do many things that are involved in those regulations. For that, you will need to excite them. What role will you be able to play in this new environment that allow you to change the way you compete? We can look at this in terms of two positions:
- Product and services: 3 roles, the bank as usual, a distributor and a producer:
- Bank as usual: you keep a status quo and provide APIs with the PSD2 regulation and you stop there. It’s not a very sustainable proposition. If you chose it, it needs to be a conscious decision.
- Distributor: you just aggregate other product and services to keep control of the user experience.
- Producer: how can you increment your channels, leverage one of the Fintechs and use them to serve your purpose and increase your reach.
- Information services: 3 roles, bank as usual, integrator or information provider:
- Bank as usual: same situation as previously mentioned.
- Integrator: you can aggregate data to provide additional services and information to other parties. You need to start thinking beyond banking data. When you think about users, you need to provide additional information.
- Information provider: there’s a lot of initiatives in the industry to become the platform of choice for the good developers.
Speakers: Alain MARTIN, GEMALTO ; Fernand COLLAT, MASTERCARD and Luis RODRIGUEZ, MOBEY FORUM