PSD2 has been on the horizon for some time. The frequent consultations on draft legislation have posed significant barriers for smaller firms seeking to map out its impact. Juggling the requirements of re-authorisation alongside other aspects of PSD2 such as implementation of new regulated products like AIS and PIS and revised security and risk management poses one of the most significant challenges for FinTechs and smaller firms.
While this may seem daunting, the tech-first approach at FinTechs means they are uniquely positioned to take advantage of AIS and PIS and open banking created by PSD2. This is complimented by their ability to develop new products that are compliant with the new PSD2 security and authentication requirements. FinTechs aPIre accustomed to utilising tech to enhance their business and as such are more than able to use open banking to their advantage.
How the FinTech industry overall will use this to their benefit remains to be seen, but at Paybase we strongly believe that a tech-first mindset will allow FinTechs to excel in comparison to traditional payments and banking institutions.
Given the streamlined workforce at many FinTechs, preparation for and implementation of PSD2 will require a whole-business approach. The entire organisation will contribute to the analysis of PSD2’s business impact and potential opportunities. When product, sales, compliance and legal and tech are all working together to understand the problem, ideas for how to meet and leverage the requirements result in substantial positive change for the business. This thorough understanding of the requirement will lead to innovative fraud ratio management and strong customer authentication.
FinTechs are well positioned to create tech-smart solutions to the new regulatory requirements with a view to growing their business given they meet many of the new requirements already. In contrast, larger organisations often rely on a more siloed team to implement requirements and will find it harder to identify optimal tech and business solutions..
At Paybase we hosted a hackathon where everyone contributed ideas for utilising the PSD2 re-authorisation and implementation process. There were endless ideas for growth and diversification, including several that are easy to implement through our existing business development strategy.
Development of proprietary Tech:
Although small FinTechs may have limited resources they have more flexibility to create innovative solutions tailored to their business. This is a considerable advantage as they can develop products that allow them to grow and diversify. It would not be a great leap to convert these products into marketable tech. Firms should ask themselves if they can leverage their expertise to create innovative solutions for: strong customer authentication, open banking connectivity, risk calculation, transaction fraud management, AIS or PIS. As part of the product development process a review should be undertaken to see if these products can be marketable as a white label solution.
As a small, agile FinTech, we are able to incorporate the required security, data, and risk features as dictated by the EBA into all of our internally developed products while actively looking at what open banking, AIS and PIS mean for a firm like ours. This means our products are not only beneficial internally but can be offered as a marketable offering without significant resource.
Easily expanded regulatory opportunities:
The fast paced nature of FinTech means firms are able to simultaneously improve internal systems while enhancing functionality for customers. When analysing the re-authorisation requirements, FinTechs should conduct a considered review of the AIS and PIS services. This is especially important as the cost of variation of permission is minimal. By obtaining this additional authorisation, in many cases firms can either offer their consumers a complementary product, or simply enhance their pre-existing product.
Giving FinTechs and other firms access to customer information held by other financial institutions creates potential for customers to get improved services at a reduced cost. The availability of information may minimise the competitive advantage of banks compared to new entrants to the market, in accordance with one of the central PSD2 objectives to foster competition. Firms across the financial services sector should be aware of the opportunities that open banking can offer. It is important, however, that firms ensure that where they offer accounts to customers, they have reviewed the open banking requirements as applicable to their own firms. Even small FinTechs may need to expose account data via an API to other firms.
One of the challenges that open banking poses for banks is offering a single API into the numerous legacy systems that they utilise. While banks will struggle to offer this, other firms will be looking at the fastest ways to connect to the numerous APIs that will become available. In order to leverage open banking, firms need to ensure they are able to integrate and use this information in a considered and intelligent way, not just collect it.
Connecting to other financial institutions to collect data will not only create a potentially marketable solution, but will allow firms to leverage this data to deter financial crime, manage customer risk, and offer a better service to customers. At FinTechs, whose systems were built with PSD2 in mind, the focus is on how to best utilise the opportunities open banking provides, rather than simply seeking to meet the requirements.
Payment Initiation Service
Breaking with the traditional card scheme model, PIS is expected to offer customers a more affordable and secure way to make payments online directly through their online banking. This is subject to strong customer authentication much like other aspects of an EMI or PI service under PSD2. While consumers will still have the burden of entering identifying information, they will have the comfort that, unlike today, this will be subject to strict security authentication measures. This process will improve customer experience as the requirements for 3DS and AVS checks are removed.
FinTechs, which are often EMIs and PIs, are well-placed when it comes to offering a PIS solution. They are already looking at ways to move away from traditional banking and payments models while considering customer experience in a secure and cost-effective way. The firms that manage to connect most efficiently to banks and other financial institutions will be the ones who are in the best position to utilise this payment method, making FinTechs particularly suited to lead in the world of PIS.
Account Information Service
Offering an AIS solution will allow firms to capitalise on information that banks and other institutions make. Firms, as AIS providers, will be able to create solutions promoting the best available options when it comes to financial services, insurance, and pensions products; ultimately benefiting their customers. This information in conjunction with FinTechs’ own account data will allow solutions to be targeted to specific customer needs. In turn, customers will no longer need to filter through vast swathes of promotions, offers, and other information, and can quickly find the best solution for them. Additional services such as location based promotions or spending management are already offered through some FinTechs and will be enhanced by the extra information available through AIS making it a sensible step to take in their re-authorisation.
Key distinguishing requirements for AIS and PIS services in addition to normal eMoney re-authorisation include:
- Professional Indemnity insurance or other similar guarantee Article 5(4) of Directive (EU) 2015/2366.
- This will need to be evidenced by supplying the contract or other equivalent document.
- The calculation as to why the amount is sufficient with reference to the EBA guidelines.
- Differentiating how data is to be collected and used from our normal eMoney product offering – EBA guideline 10
Security at the forefront:
Evolving security guidance is already something firms should consider regularly, so the PSD2 legislative impact should not be a significant challenge. FinTechs, however, have the advantage of being tech and security aware from day one. Especially as systems at FinTechs are often built internally and can be adjusted and improved with ease.
Strong Customer Authentication (SCA)
SCA means the use of two or more identification elements categorised as knowledge (i.e. something only the user knows), possession (i.e. something only the user possesses), and inherence (i.e. something the user is) to authenticate a user. This is applicable when accessing any online payment account (AIS/PIS), when performing any action through a remote channel that may present risk of fraud or other abuse, and even on transactions themselves, with the overall aim of reducing fraud.
Ensuring that customers’ transactions and accounts are safe while offering enhanced services is key to the competitive advantage that FinTechs have over more traditional institutions. By using innovative solutions to manage their financial crime risk, FinTechs not only keep their customers safe but may reduce the requirement for SCA. Only in specific instances will SCA not be required. This could be in situations where the transactions are low value or low risk and/or if the firm’s fraud ratios are sufficiently low.
In order to meet the exemptions some FinTechs have developed unique solutions by building proprietary transaction monitoring and risk matrix systems. Using technology to perform CDD and risk assessments, and removing the element of human error, means there will be more consistent calculation of risk, reducing rates of online fraud. The use of technology in this capacity will benefit customers and may lead them to turn to more secure solutions when looking for a banking or payments product.
Traditional firms will have to work hard to introduce solutions to meet the basic requirements and to develop solutions that protect their customers when legacy systems may not be compatible.
FinTechs need to ensure that they have the right technical structure and internal governance and processes to manage this impact. The new requirements will mean firms need to review their information security and risk management processes, including:
- Ensuring security policies and procedures relating to payment services include risk assessments with details of security controls and mitigants.
- Developing effective processes to monitor and manage customer complaints related to security.
- Demonstrating that IT systems and processes are considered in risk management including: business continuity, loss of key data or lack of access to premises.
- Access level management including the ability to track and restrict access to sensitive payment information.
While these requirements should have been incorporated to some degree at established firms, their outdated systems mean FinTechs have the advantage. The most challenging aspect will be ensuring that there is sufficient governance around implementing and adjusting policies to demonstrate compliance with the requirements.
FinTechs thrive in their ability to dynamically and intelligently calculate risk in near real time across their entire business. This contrasts starkly with larger firms who may struggle to create a truly comprehensive risk management framework because of their legacy systems and size constraints. These deficiencies will not only make it more difficult to meet the risk assessment requirements of PSD2, but also to manage risk more generally across the firm.
PSD2 requires firms to establish the following:
- A comprehensive risk management framework to identify and classify risks affecting the services they provide including product, geography, customer, channel, etc.
- Risk management including how to identify ways to reduce and manage risk
- Ability to identify new and emerging risks
At Paybase we are looking to not only calculate risk on a partner or customer basis but to ensure our machine learning algorithms consider risks across our Platform and across our Partners.
Overall FinTechs are uniquely positioned to leverage their technical expertise not only to capitalise on open banking, AIS and PIS, but also to offer an improved service to their consumers. Ultimately, consumer benefit from increased competition is the objective of PSD2, and firms stand to gain from the level playing field that it will create. The new legislation means businesses that offer secure and risk-focused tech solutions will reap the most benefit. This is where the FinTech industry has a significant competitive advantage. As a result we may see FinTechs compete directly with the banks.
Written by Danielle Herndon, Head of Compliance at Paybase