PSD2 APIs: What Can the Industry Do to Counter Fraud Threats?
This is the second in a two-part series exploring the fraud threats associated with PSD2 & Open Banking, and the actions that FI’s can take to address these threats.
As we all anticipated, the new fraud threats that may arrive on the scene with the implantation of new PSD2 APIs will require their own special handling due to their complexity. As is usually the case, there is not a panacea for fighting new fraud threats, no matter the origin, and the fact that a multi-layered approach is required should be no surprise. But there is more to solving these challenges beyond the narrow approach that we may be currently taking.
Firstly, FIs should work together as an industry, including the new Third-Party Providers (TPPs), to provide clear education and messaging to the customer so that they are aware of the scams to watch out for. This should include ensuring there is an independent method of customers being able to identify genuine TPPs and those that are authorised, where appropriate for example. in the EU.
FIs should support providing APIs, even where they are not under regulatory pressure to do so, e.g. non-payment accounts in the EU. This should be replacing screen scrapping rather than just blocking these services. This will help reduce the social engineering aspects around credential sharing, as well as provide a new source of income.
There should be encouragement for TPPs to implement similar layered fraud prevention systems as traditional FIs, e.g. Device Profiling, malware detection, behavioural biometrics at customer endpoints, along with sophisticated fraud profiling and advanced analytics.
FI’s would also do well not to annoy customers with clearly blanket policies around authentication and have risk-based models for TPPs when undertaking authentication to support a sensible customer message.
This should include sharing best practices and data in the fraud and security space to reduce fraud in the overall ecosystem. This should be accomplished via industry bodies, such as UK Finance in the UK or via consortiums of the fraud solutions suppliers. Such solutions might include such things as details of known bad devices for example or known mule accounts. This effort should be further expanded to build out clear liability models and processes to encourage best practice and reduce costs in the overall system.Build Out Fraud Profiling Platforms
What are the key actions for financial institutions? Firstly, FIs should build out their fraud profiling platforms to treat Open Banking transactions as a separate channel, whilst ensuring the system sees as many transactions (preferably all) the customer makes as possible. This means building bespoke models and journeys for these new transaction types, while preventing the creation of silos, as has happened previously.
Additionally, FIs should increase the data available to these systems to include Device Profiling, malware detection, and behavioural biometrics, as well as data on the TPPs themselves. In the EU, they should also consider using PSD2 as a legal justification under GDPR to capture customer location and other data to aid fraud prevention.
In Europe, utilising the PSD2 Strong Customer Authentication (SCA) exemptions, will also be important, both in reducing friction for customers, but to ensure the full weight of fraud controls and referrals fall on the highest risk transactions, improving efficiency and reducing costs.
Fraud profiling should also be expanded to cover the TPPs themselves, e.g. ‘What risk does this TPP pose based on the behaviour seen?’ This should be updated in real time and can then be used within models. It can also be applied to check the certificates validating a TPP’s identify and right to offer the services, based on the risk. This will become important when there are hundreds of TPPs, in order to reduce cost and latency.
In order to win the battle against new fraud threats, financial institutions will need to have in place reporting and monitoring of Open Banking transactions, to provide insight into how they are being used and abused, looking for anomalies along with understanding any new fraud typologies. This is important to understand if there are any attacks and to know where to prioritise development and resources. As part of this understanding, undertaking Red Team exercises on known and potential Open Banking use cases is a good idea. This will allow organisations to build out potential controls in the event of future attacks.
Banks and FI’s might also consider making good use of Open Banking by becoming TPPs themselves. Many of the UK Banks, such as Lloyds and Barclays, have already started to do this. This could help them identify fraud and reduce false positives, if they can see all of a customer’s accounts across the industry. This will also help them to think like a TPP, which will be useful in preventing fraud via TPPs. They should also look at other opportunities from Open Banking, such as becoming a trusted source of identity, to underpin Open Banking.
As I have explained, there are real fraud issues that must be addressed, but there are also ways to enjoy the benefits that Open Banking has to offer customers and FIs. There are activities individual organisations can do themselves, but all parties in the eco-system should join together to help secure these benefits for all.