2022 Market Guide for Identity Proofing and Affirmation
Get the Guide
X
arrow Back to Compliance & Regulations

PSD2 Compliance and Online Identity Verification

Achieve strong customer authentication (SCA) for PSD2 compliance regulatory requirements with AI-powered online identity verification.
Get the Compliance Made Simple E-Book

What is PSD2 Compliance?

PSD2 is the second iteration of the Payment Services Directive (PSD) implemented by the European Union and it affects both individual consumers and businesses. PSD2 enables bank customers to use third-party providers to manage their finances. The regulation went live in January 2018 and has implications for all companies and financial institutions in Europe that deal with payments, ranging from how to regulate the emergence of Third Party Providers (TPPs) to the need for strong customer authentication (SCA).

Who is Impacted by PSD2 Regulations?

The rules and guidelines of PSD2 apply to modern payment services, including banks, credit unions, fintech companies and payment companies (e.g., third party payment service providers, account servicing payment service providers and payment information service providers) based in the European Union.

What Is Strong Customer Authentication (SCA) under PSD2?

Strong customer authentication is a requirement that mandates stronger payment security standards based on multi-factor authentication.

SCA requires at least two of the following three elements for authentication:

  • Something the customer knows (password or PIN number)
  • Something the customer has (phone, device or other)
  • Something the customer is (fingerprint or biometric)

PSD2 and SCA were implemented as security requirements for consumer protection in the payments industry. SCA applies to customer-initiated online payments across Europe. Most card payments and all bank transfers require SCA, so this regulation is extremely important for businesses in financial services.

SCA Exemptions under PSD2 Compliance

While SCA increases protection for consumers, it also creates friction across the payments process. For this reason, the regulations provide room for some exemptions to the SCA requirement:

  • Low-value transactions: Usually transactions under €30 will not require SCA, with some exceptions.
  • Low-risk transactions: When a real-time transaction risk analysis deems a transaction low-risk, it can be processed without additional verification.
  • Transactions with pre-approved merchants: Customers can pre-approve merchants to exempt future transactions from SCA.
  • Corporate payments: Non-personal payment transactions from corporate environments.

Does Online Customer Identity Verification Matter for PSD2 Compliance?

Under PSD2, payment initiation service providers (PISPs) — primarily banks — are forced to open up three sets of APIs giving registered third parties access to customer accounts. Strong Customer Authentication dictates that the customer must give permission to the bank using two-factor authentication before the third party is allowed access.

Most access to customer accounts, including card payments and online transactions, is covered under this process — sometimes even when the customer is directly querying their own account details. PSD2 sets out very specific standards for secure electronic customer identity verification, in order to keep customers’ funds and personal identities safe and meet all SCA requirements.

The European Banking Federation encourages trust in digital identity verification tools that can guarantee “the person claiming a particular identity is in fact the person to whom the identity was assigned” in EU member states.

Two-Factor Authentication

One of the key requirements of the revised Payment Services Directive (PSD2) is that banks must add two-factor Strong Customer Authentication (SCA) for all remote access to customer accounts and online payments as a security measure. This means that when authentication is required, two of three factors will be applied: something the customer is, something the customer has and something the customer knows. Clearly, identity verification will be critical as part of this, and when customers forget or lose a key component, banks will need to ask them to re-identify themselves for electronic payments and transactions.

As many businesses are already seeing, customer account access dependent on two-factor authentication leads to an increase in customers losing their authentication credentials. What is often missed in the new regulation is that PSD2 requires this credential reset process to also use two-factor authentication, and needs the end customer to use two different authentication factors to those utilised in the account access process for the Open APIs. The credential reset process means the customer has to re-identify themselves to their bank using a Strong Customer Identity Verification (SCeID) process to verify or re-verify their identity.

Both SCA and SCeID are mandated by PSD2, although the latter is not well understood. Failure to implement these capabilities exposes banks to penalties under PSD2 as set by EU regulation. However, a failure to implement these capabilities properly may also expose banks to potential loss of sensitive customer data and, under the General Data Protection Regulation (GDPR), this opens up the possibility of fines of up to 2% of global annual turnover.

4 Qualities to Look for in an Online Identity Verification Solution for PSD2 Compliance

Identity verification is at the heart of PSD2, and must be supported by a Strong Customer Identity Verification (SCeID) process using two-factor authentication. According to a report from Consult Hyperion and Jumio, a compliant PSD2 credential reset process should have the following characteristics:

Strong
Use two factors of identity document verification to demonstrate that the consumer is in possession of their ID and live facial biometric matching to establish the person behind the transaction matches the person holding the ID.

Fast
Online and near real-time process to get customers transacting quickly. This is extremely important for maintaining strong user experience.

Accurate
Deliver a high level of accuracy using proven technologies and services to protect electronic payments.

Simple
Convenient for the customer, while limiting additional compliance costs for the business.

How Jumio Can Help with PSD2 Compliance

Jumio’s online identification solutions enable EU banks to incorporate the necessary PSD2 safeguards to ensure that each customer’s identity is verified before each interaction with a third-party service provider.

PSD2 requires that EU banks have a process of establishing the identity of the customer including determining to an appropriate level of assurance certain information (attributes) such as name, address and date of birth. Jumio helps these banks establish authentication credentials that allow their customers to assert their identity in the future without needing to redo the relatively expensive identification process each time they access their bank accounts for transactions.

Learn More

Guide/Whitepaper

Compliance Made Simple

Guide/Whitepaper

A Buyer’s Guide to Online Identity Verification – old

Guide/Whitepaper

Solving the Identity Problem in PSD2 and GDPR

Get Started

Let a Jumio expert show you how easy it can be to integrate our automated identity verification and AML solutions into your existing processes.
Request More Information