14 March 2019 – the PSD2 clock is ticking: Customer identification is the key

14 March 2019 – the PSD2 clock is ticking: Customer identification is the key 516 322 WidasConcepts GmbH

14 March 2019 - the PSD2 clock is ticking: Customer identification is the key

29.01.19 | Author : Thomas Widmann
Published in it-finanzmagazin.de

The eagerness of financial service providers to make their interfaces available to third-party providers is limited. Maybe it’s because they’re struggling with various PSD2 issues and problems that may be easier to solve. Now it has taken a year longer than the EU had originally planned and not all financial services providers are online yet.

The PSD2 becomes mandatory. But you don’t hear much about the advantages. The EU standardization has advantages for everyone:

  • Money transfers in Germany and Europe become more convenient, cheaper, secure and mobile.
  • New payment and settlement options are created, plastic credit cards or customer cards and even cash could slowly disappear.
  • Financial service providers are taking the important step away from an ‘account-oriented view’ towards a ‘customer and individualistic view’ in order to identify customers and thus precisely control access to accounts. In addition, a financial service provider can create a significantly better customer experience and design new business models.
  • Creation of more uniform bank APIs that promote interoperability between financial service providers and third parties, including other financial service providers
  • Financial service providers could successively consolidate their historically grown IT systems

Thomas Widmann, CEO WidasConcepts

The last three points, especially, need a clear focus, because these advantages do not come free of cost.

For this reason, financial services providers should keep a close eye on the level of vertical integration in their IT, because now is the time when a jump into the cloud and the use of such platforms and services can save a lot of time and money.

Secure and unique customer identification (BaFin) combined with a user experience that is as service-oriented as possible will be the key to success in the competition between payment service providers, banks and savings banks. Since financial service providers are not the first to provide secure and modern APIs to third parties and require secure customer identification, others have already worked ahead and there are platforms, services and standards that enable rapid implementation of PSD2.

PSD2 ... the time is nearing: 14 March 2019

A PSD2-compliant authentication solution must now be deployed by September 2019. This means that organizations must be able to prove their compliance with the policy to the regulatory authorities at this point in time in accordance with Art. 30 §3-§5 and Art. 33 §6(c).

But as early as March 14, 2019, the implementation of the Payment Service Directive (PSD2) will enter a hot phase: “Until then, payment services must provide a test environment for their technical interfaces, including documentation, for account information and payment initiation services.

In plain language, this means that those who have not already changed their IT systems accordingly should urgently look for a partner who can immediately integrate professional customer identity and access management into the existing structures.

This is the only way for banks and savings banks to otherwise comply with the obligation to provide third-party providers (TPPs) with interfaces (APIs) that grant access to bank data.

The central point of the tool that a company chooses can be clearly stated: Strong authentication of the identity must be guaranteed.

Because this strong authentication plays a special role in the context of the PSD2. It is required, for example, when the payer triggers an electronic payment transaction or when he accesses his payment account online. The Regulatory Technical Standards (RTS) of the European Banking Authority specify which requirements must be met with regard to strong customer authentication (SCA).

The strong customer authentication requirement of PSD2 requires authentication that does not consist of one but at least two items. These elements must come from two of the three categories of knowledge, ownership, and inheritance. An example that BaFin calls here is the mobile phone for the category Ownership. The possession of the telephone can be proved, for example, by entering a transaction number (TAN), which was sent to the telephone by means of an SMS. Elements of the category “inherence” are personally or physically inherent to the user, for example his fingerprint.

Such an authentication solution must meet numerous requirements. Professional Customer Identity and Access Management tools provide:

Thomas Widmann, founder and CEO of WidasConcepts, completed his studies in business informatics at the University of Applied Sciences Karlsruhe – Technology and Business. After graduation, he worked for several years as a project manager and IT architect for well-known companies in the financial sector. Widmann is the author of numerous technical papers as well as speaker at various IT conferences.

  • Reliable end device detection
  • Location-based recognition during registration, login
  • Carrying out address checks during customer registration
  • Management of login/registration UIs
  • Continuous profiling of user actions
  • Two-factor authentication through biometric procedures.
  • Very good overview of user behaviour via dashboards and reports.

In addition, with a strong, reliable authentication, TAN-based legitimization checks will soon be a thing of the past, because in conjunction with downstream fraud detection systems, customer behavior is well-validated and fraud has no chance.