PSD2 and its bylaws

PSD2 opened up the financial sector to a myriad private fintechs, rushing in to take advantage of banks and credit unions' APIs now being made available to them. While this boom in the third-party financial services provider market has all the hallmarks of being a gift to both customers and financial institutions, there are certain issues related to fraud prevention, general security and risk management that need to be addressed before a fintech can take advantage of open banking. 

Who is Who and Who Does What?

Newcomers must undertake certain steps to be authorized to work under PSD2 (or reauthorized, if it's a preexisting company), including proving their operational and security risk management is not only in place but also satisfies the guidelines as set by EBA, the European Banking Authority. So who must make sure they are PSD2 compliant? Banks and credit unions, of course. But these requirements are also applicable to various payment institutions and payment initiation service providers, e-money issuers and agents, building societies but also all consumer and trade bodies, as well as retailers, micro-enterprises and, of course, anyone involved with open banking initiatives.

EBA PSD2 guidelines present clear technical standards for security measures vital to open banking, such as strong customer authentication as well as open standards of communication. 

Communication is, of course, key: there needs to be a secure and effective exchange of information between various third-party providers and customer account providers, as well a channel of communication that keeps the customer informed of all goings on and allows them to provide or revoke consent.

Safe as Houses

The security measures PSD2-compliant fintechs must have in place need to be able to detect, react to and prevent a spectrum of potential threats to both the company's premises and its data center's physical location.

But it also brings its own sets of concerns: for example, increases in online fraud prevention require banks and fintechs to ask for more information from their customers for verification purposes.

Authorization Is the Way

Requirements are many and include management providing proof of professional competence, detailed information on fintech’s business model and business plan, and detailed documentation of the company's security standards when handling sensitive customer and account data, as well as process documentation for crisis management and customer complaints handling.

There is, however, another option: a fintech could join a provider that already has an appropriate authorization. This would allow the newcomer company to comply with all the requirements and avoid the complicated application procedure, jumping into the open banking arena headfirst.

Security is Not the End

Information security is not the only requirement for the stamp of EBA approval. There is also the assessment of a fintech's operational (that is, not IT-related) risk management. During this process, the auditor will take stock of the company's risk management and mitigation measures and these assessments, both operational risk and security risk assessments, should ideally be performed on a regular basis. In essence, we're talking about yearly checkups here, just like you visiting your doctor.

While the various technical standards required by the EBA affect the security of both user data and their transactions, they also provide all PSD2-authorized third-party providers with an excellent platform that allows them to compete in the growing banking and payments services market. There is also the matter of added value for fintechs' customers, not to mention the fact that any upheavals and disruptions in any field always lead to innovation. In this case, to various improvements in payment functionality and security, as well as to additional services.