PSD2 APIs: Are You Ready to Take on New Fraud Threats?
March 29th, 2019
This is the first in a two-part series, that will explore the fraud threats associated with PSD2 & Open Banking and what FI’s can do to address these threats.
We recently passed the March 14th date that dictated that all the relevant Payment Service Providers (PSPs) in the EU must have their Payment Services Directive (PSD2) APIs available for external testing, ahead of the deadline for going live on the on September 14, and along with the additional requirement of Strong Customer Authentication (SCA) exemptions. Some recent research suggests that only 59% of FIs surveyed actually hit this target.
With these new APIs, some of which are already live in the UK under Open Banking, come new fraud threats. Open Banking will start to have a greater impact on fraud, both for customers, financial institutions and the fraudsters, however, the full impact may take longer to materialise. This is because the use cases to drive the most transformational change, large volumes of third party initiated payments (PIS), need to be in place for customers to fully adopt Open Banking.
So, what are these threats?
Firstly, Open Banking is another vector for social engineering, a way to confuse customers into handing over credentials or data to fraudsters. This certainly muddies the clear message that banks previously sent to customers, which was not to share your bank credentials with anyone.
However, there are more complex threats than simple social engineering. It’s perfectly possible we will see either an outright fraudulent Third-Party Provider (TPP) fronting themselves as the financial institution, or one that is hacked or socially engineered in some fashion. And this could result in fraudulent payments, account takeover (ACTO) and even more data compromises to facilitate ID Theft.
Open Banking will also have a direct negative impact on a financial institution’s ability to undertake fraud profiling. This is because, instead of having full control of the end to end journey via their website or app, the FI will only see the customer’s end point (e.g. laptop or, mobile device) at one or two points in the journey. This makes it much harder to manage as they move from continuous authentication to a point-in-time model.
Further, we will see a shift in transaction types, away from cards for e-commerce transactions (potentially at POS too), to increased real-time push payments for purchases at merchants. This shift will impact the fraud profiling models used by FI’s and will take time for this to catch up with the highly mature models currently in place for both cards and payments over the different rails today.
What all these threats create are the following problems:
- Increase the overall fraud in the system
- Make frauds harder to spot
- Place additional costs on traditional FIs to manage fraud.
- Make it more difficult for banks to reclaim fraud from other parties in the ecosystem
Unlike card networks with clear rules on liability and methods for issuers to easily reclaim funds from other participants, e.g. merchants there is no clear model to do this with Open Banking. Financial institutions are going to be the customer’s first port of call when a fraud has occurred, and in the EU FIs will be obliged to refund unauthorised transactions immediately, even where this occurred through a TPP and increasing the overheads on contact centers.
Whilst regulators support banks recovering funds from TPPs who are at fault, this could be costly and assumes they have the capital or insurance to support refunds on a large scale. This may not be the case. In countries like the UK with ‘Free’ in credit banking Open Banking is likely to be the death knell for free accounts. Elsewhere it also likely to push up costs of the underlying bank accounts to cover the costs of fraud.
It is also likely there will be more than a few squabbles over the levels of authentication in place for transactions via TPPs. FIs will try to add friction (where they can from a regulatory perspective), whilst TPPs will be trying to reduce this friction. FIs won’t want to support embedded authentication, where they may receive no customer end data, relying instead on redirection and de-coupled approaches to authorising TPP transactions.
We are at the start of Open Banking, so it is clear that there will be new fraud threats from as yet understood business models and use cases of Open Banking, as was the case with e-commerce previously. There are still the “unknown unknowns.”
In the second part of this series, I’ll explain the actions that FI’s can take to mitigate these threats.