Like many recent inventions, digital banking and e-commerce have made our lives substantially better. Designed to save time and money, they’ve empowered consumers, created thriving marketplaces and allowed businesses to embrace asset-light business models. Open banking was quick to follow, allowing consumers to benefit from better deals, access to new products and services, and to have better control over their money.
But convenience breeds complacency. These time-saving innovations have started exposing consumers and businesses to previously unknown risks – and little has been done to secure online spaces, until recently. As consumers have become more familiar with the inherent risks of e-commerce fraud linked to phishing, there was another lesser-known, dark side of digital banking emerging. With open banking, it has become possible to not only defraud a consumer’s primary bank, but also their other chosen financial providers. As open banking takes off, the potential for fraud within fintech, e-commerce and banking organisations will only grow.
To tackle this threat, banking and e-commerce organisations have to modernise further, but this time under the watchful eye of European and UK regulators. Coming into force on 14 September, the Second Payment Services Directive (PSD2) is set to protect consumers from identity theft and asset takeovers. It is also taking regulatory compliance and technology challenges to a new level, turning into a strategic and operational challenge for many businesses. Practically, it means that new customers’ identities will have to be verified. But there’s another pain point that not even the banks saw coming.
In the past, it’s not been uncommon to have a joint account or credit card, with only one of the shared holders’ identity verified and known to a bank. This will have to stop under PSD2, and existing banking customers will also have to be re-authenticated. This will place a huge strain on even the most digitally forward-thinking institutions, who may have to re-authenticate the identities of millions of customers, as well as introduce much more stringent identity verification at the on-boarding stage. Overall, banks and FS companies must work hard to see the long-term gain, not simply trying to overcome the short-term pain.
Moreover, the incoming regulation means that banks and fintech businesses will have to authenticate every customer by at least two of the following criteria whenever they want to make an online transaction: something they have, something they are, and something only they know. This could include an ID document, a biometric identifier, and a security question, going beyond simply a card and a pin – as is the current standard. This introduces an additional layer of security to defend against the threat of fraud as open banking grows and e-commerce volumes expand.