PSD2 and Two-factor Authentication: A Double Security Challenge

September 14, 2019 is rapidly approaching, and with it the full mandate of PSD2: open banking will continue to make inroads into the financial fabric of society. While the full realisation of this concept provides opportunity to innovators, it also represents a unique privacy challenge.

An Opportunity for Innovation

Opening up a stolid market by allowing consumers to migrate their accounts and financial information between institutions provides a unique opportunity for new ideas and solutions to thrive. Organisations which have invested well in new platforms and have been quick to adapt to technological change can capitalise on an unusual combination of new solutions provided by a trusted institution. No longer are banks restricted to simple accounting; now they can more actively manage the full spectrum of wealth for their constituents. But with that opportunity comes an inherent challenge — how can financial organisations capitalise on this moment without presenting unnecessary risk to their clients?

A Challenge for Consumer Privacy

Historically, financial institutions have long had stringent requirements for the protections of customer data. (Unlike the recent raft of social media companies which have come under public scrutiny, their business model does not rely on selling customer data.) With the advent of PSD2 and open banking, however, these long-held views require more consideration.

At its core, open banking seeks to provide freedom for customers to migrate between financial offerings. In the past, they might have felt locked-in to a particular institution, forced through historical inertia to remain with their bank or investment firm due to the high cost of switching. Through mandates that affect implementation details such as APIs, strong authentication of the consumer, and overall security, consumers are empowered to choose the best offering for them rather than merely maintaining the status quo.

The implications of these changes should give pause to organisations who understand them. They signify a potential increase in both the quantity and quality of personal data that must be stewarded. Institutions that play a role in any significant transactions must now be able to verify individuals through biometric markers and other sensitive data. This level of information requires significantly more protection than mere personally identifiable information: it lies at the core of consumers’ identity.

Despite this increased responsibility, these changes are welcome because they enable consumer ownership of finance through choice and consent. But choice and consent are not as easy to come by as they might seem. Ironically, even while strong authentication protects the consumer, it also necessitates the collection of ever-more-sensitive data), and the privacy challenges mount.

Granting the ability to protect personal data, financial information, and biometric markers are only as effective as the level of understanding of the consumer, as depicted by the recent narrative surrounding FaceApp. Users happily traded rights to their own portraits in exchange for a vision of what their visage might look like in the future. A quick glance at the actual privacy terms reveals that they were likely uneducated as to what exchange they were actually making. Users were granting FaceApp

“ . . . a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you . . .”

. . . a remarkable exchange for a whimsical glimpse of a possible visage to come.

This incident highlights the privacy challenge behind open banking and a well-rounded implementation of PSD2: not merely protecting users’ data — which is increased through the need for strong authentication ­­— but also ensuring that end users comprehend the implications of their choices. So the privacy challenge that lies ahead is twofold: it is both technological, requiring responsible protection of sensitive data, and sociological, learning lessons about education and consent from other initiatives such as the GDPR in order to clearly empower consumers to make good choices.

As open banking becomes normative with regulations such as PSD2 coming into full effect, organisations will do well to embrace the opportunity to expand their market reach while still proving themselves worthy of consumer trust by thoughtfully providing protections for the end consumer — in ways that are easily understood and that promote good choices.