PSD2 Compliance and Your Online Identity Verification Program
What is PSD2?
PSD2 is the second iteration of the Payment Services Directive (PSD) implemented by the European Union and it affects both individual consumers and businesses. PSD2 enables bank customers to use third-party providers to manage their finances. The regulation went live in January 2018 and has implications for all companies in Europe that deal with payments, ranging from how to regulate the emergence of Third Party Providers (TPPs) to the need for strong customer authentication (SCA).
Who is Impacted?
The rules and guidelines of PSD2 apply to modern payment services, including banks, credit unions, fintech companies, and payment companies (e.g., third party payment service providers, account servicing payment service providers, and payment information service providers) based in the European Union.
Does Online Customer Identity Verification Matter for PSD2 Compliance?
Under PSD2 “account servicing payment service providers”—primarily banks—are forced to open up three sets of APIs giving registered third-parties access to customer accounts. The customer must give permission to the bank using two-factor authentication, a process PSD2 refers to as “Strong Customer Authentication” (SCA), before the third-party is allowed access.
Most access to customer accounts, including card payments, is covered under this process—sometimes even when the customer is directly querying their own account details. PSD2 sets out very specific standards for secure electronic customer identity verification, in order to keep customers’ funds and personal identities safe and meet all SCA requirements.
European Banking Authority
The European Banking Federation encourages trust in digital identity verification tools that can guarantee “the person claiming a particular identity is in fact the person to whom the identity was assigned.”
One of the key requirements of the revised Payment Services Directive (PSD2) is that banks must add two-factor Strong Customer Authentication (SCA) for all remote access to customer accounts and online payments. This means that when authentication is required, two of three factors will be applied: something the customer is, something the customer has and something the customer knows. Clearly, identity verification will be critical as part of this, and when customers forget or lose a key component, banks will need to ask them to re-identify themselves.
As many businesses are already seeing, customer account access dependent on two-factor authentication leads to an increase in customers losing their authentication credentials. What is often missed in the new regulation is that PSD2 requires this credential reset process to also use two-factor authentication, and needs the end customer to use two different authentication factors to those utilised in the account access process for the Open APIs. The credential reset process means the customer has to re-identify themselves to their bank using a Strong Customer Identity Verification (SCeID) process to verify or re-verify their identity.
Both SCA and SCeID are mandated by PSD2, although the latter is not well understood. Failure to implement these capabilities exposes banks to penalties under PSD2 as set by national regulators. However, a failure to implement these capabilities properly may also expose banks to potential loss of sensitive customer data and, under the General Data Protection Regulation (GDPR), this opens up the possibility of fines of up to 2% of global annual turnover.