For modern day financial institutions to guarantee their own legal compliance, there are myriad regulations for them to adhere to, each including explicit requirements for them to follow. While it is usually very clear what is required of these organisations and what the ultimate goal of each regulation is, what they do neglect to explain is exactly how to achieve them or set out a clear roadmap for how to get there.
The advent of PSD2 is proof in point – the legislation brought with it the necessity for more secure authentication schemes and open APIs, yet it wasn’t accompanied with how to realise these obligations. This has left some financial institutions in somewhat of a predicament, however third-party groups have taken advantage of this opportunity by creating new advisory groups with their own unique approach to guaranteeing PSD2 compliance, for example The Berlin Group, the Financial Data Exchange (FDX), and the Open Bank project.
At the moment there are three main authentication schemes in use. Firstly, redirect authentication is when the consumer goes to a third party and when they are asked to provide consent they get redirected to the holder of that data, logging in via a page branded by their bank or payment provider.
Decoupled is slightly different – this is when the customer goes to provide an approval via a different channel, detached from the one where they are dealing with the third party. An example scenario might be a push notification sent from their banking app if they are granting access to their bank account.
Lastly, embedded is when the third-party processes the customer’s security credentials and sends them onto the financial institution. However, this particular method doesn’t work with device-based authentication because the underlying organisation will not have visibility of the device being operated by the customer.
This is especially challenging for international banks who operate on a global scale because they must have the ability to provide each of the separate authentication schemes indicated above, and also offer them across all of the third-party groups who are now providing PSD2 advisory services.
Consequently, global banks are navigating a uniquely complicated policy environment within which all of the nine possible methods of authentication are even further compounded depending on their whereabouts or current situation. Furthermore, for each country the organisation operates in, there could be discrepancies in how the regulations are construed, which further impedes a coordinated strategy.
It’s important to clarify that the burgeoning number of possible authentication methods along with the lack of direction from regulators is not the main problem. The real issue is that a majority of these international banks are relying completely on a human policy manager to cope with increasing regulatory requirements. What this means is valuable knowledge is held in the hands of a small team or individual.
A lot of the time these people possess insider knowledge, which brings with it the added risk of someone taking a multitude of crucial information with them if they were to leave the company.
Banks can overcome this problem by stepping away from human policy managers, instead developing more technologically advanced policy managers, which ensure transparency and allow departments from across the organisation to provide their own input. Of course, it is not only the IT experts that are obligated to review internal policies such as these and say they’re following proper protocol. Regulation touches departments from Marketing, right through to Risk & Compliance.
The digital-first challenger banks, who have broken ground over the last ten years are actually far better placed to cope with these problems because a majority of their infrastructural practices that already exist are extremely agile and flexible. Therefore, it is the older, more established banks who are coming across real stumbling blocks.
The only way they will be able to overcome these barriers and remain competitive – as well as stay up to date and compliant with the stream of regulations impacting the financial industry – is by future-proofing their internal policies using new technologies.
If banks fail to get this right the people who will ultimately suffer are the customers. If bigger banks don’t rethink their approach to PSD2 implementation, then they are at a huge risk of damaging the customer experience. What they need to achieve is a high level of regulatory compliance alongside the security of information that could reveal their customers’ digital identities, whilst ensuring that users can carry on with their digital lives seamlessly.
This target can be reached by using the most advanced AI and machine learning to create a policy manager, which can learn and adapt in a live environment. By embracing a flexible attitude towards financial legislation, any new updates that come their way can easily be dealt with minimal disruption for both the business and customer.