A Fraud Perspective on PSD2

By Sundeep Tengur, Banking Fraud Solutions & Financial Crimes Specialist at SAS

The PSD2 (Revised Payment Service Directive) is currently the hot topic across the payments industry in Europe. One of the main changes is the creation of new payment actors: third-party providers (TPPs). We will soon witness several non-banking entities enter the payments space as TPPs—for example, social-media platforms and other fintechs. In a digital world in which 50 percent of buying decisions are initially researched via social networks or other online and mobile applications, this will be a game-changer for traditional banks and financial organisations. These changes will undoubtedly open new channels and offer a wider range of value-added services, but they can also contribute to increased risk of fraudulent activities.

Elevated risk landscape

Traditional financial organisations have so far enjoyed a bilateral relationship with their customers. Things will soon change when TPPs enter the market with new services. Consequently, as custodians of the customer accounts, banks will see an even higher volume of transactions. This will be on top of requests through their existing digital channels, already challenged with growing consumer demand for mobile payments but soon to include new requests made via TPPs. As banks cannot deny access to TPPs as per the PSD2 mandate, their existing fraud-detection systems will be under pressure to cope with the new payment channels. Banks will require robust, powerful and scalable fraud-management platforms to sustain the high data throughput and the velocity of requests in real-time. The window for investigations will be significantly reduced, and banks will need to rely on advanced analytics and automation to mitigate the increased fraud risks.

New payment actors introduced.

Following the release of the final RTS (Regulatory Technical Standards), scheduled for the fourth quarter of 2018, AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers) will be geared up to offer their services to consumers, acting as intermediaries between the end-customers and their banks. The banks will remain the custodians of funds in the customer accounts, and the onus will, therefore, be primarily on them to ensure that the incoming requests are not fraudulent. Banks already face an existing challenge to secure online transactions as it stands. After the PSD2 takes effect, this problem will be further exacerbated, as the requests could be made via third parties, through which the bank will not have direct interactions with consumers. Requests made via TPPs may be susceptible to third-party fraud powered by malware or social-engineering techniques, and fraudsters could use the TPPs as an obfuscation layer to confuse the banks’ fraud defences.

Access to accounts (XS2A)

A major change introduced by the PSD2 is the access to banks’ data infrastructure and customer accounts through APIs (application program interfaces). Any new digital channel carries inherent fraud risks, and fraudsters could seize this opportunity to impersonate genuine customers, harvest information on them through AISPs and use the same to open fraudulent credit accounts on their behalf. XS2A can also be an attack vector for data breaches, for which banks could be liable for heavy fines under regulations such as GDPR (General Data Protection Regulation). Standard business rules or even existing predictive models might not be effective against such risks. There is also concern that banks may not receive all of the relevant data through TPPs (e.g., device information, session data), and this could reduce the effectiveness of existing customer-profiling tools and existing predictive models. One way to tackle this conundrum is to use forward-looking analytical techniques such as anomaly detection. For example, deviations from the peer group pattern for an AISP can be indicative of malware harvesting customer information. Likewise, a high-value transfer to a foreign account made through a PISP can be deemed anomalous for a customer with no such history.

Secure customer authentication (SCA)

The first step across most online fraud schemes is to gain access to the victim’s account. Strong user authentication is a key factor in mitigating such risks of account takeover, and the PSD2 stipulates the mandatory use of two-factor authentication (2FA) for most transactions, with a few sensible exceptions. The challenge, however, is not so much around securing access to accounts but rather in balancing security and user experience. The optimal approach lies in adaptive authentication, which monitors all relevant risk factors (e.g., device, channel, value) and adopts a customer-centric approach for a tailored and robust authentication mechanism.

Identity management, through user validation and verification, is equally highly relevant to secure authentication. eIDAS, a European Union (EU) regulation on digital identification for electronic transactions, provides the legal foundation for individuals and businesses to safely access services and transact in virtually “one click”. Many financial organisations are considering the use of this federated identity-management solution to partly fulfil the SCA requirements of the PSD2. Anyhow, regardless of the authentication process used, all PSPs (payment-service providers) need to ascertain that each access request is legitimate, ideally through a fraud-security layer using analytics to risk-score authentication attempts.

Instant payments

There is a common misconception that the PSD2 mandates the need for instant payments; as much as this will benefit consumers, it is not the case. The instant-payments initiative is driven by a separate but related initiative—SCT ^inst (SEPA Instant Credit Transfer), which goes live in November 2017. Countries such as Sweden, Denmark and the United Kingdom already have such schemes (e.g., Faster Payments in the UK), but soon SCT ^inst will roll out instant payments across the whole region, making instant European cross-border payments a reality. The processing of SEPA instant payments will be at the transaction level, and the payments will be cleared in real-time. Instant payments require instant fraud decisions, and here again, like the PSD2 TPP requests, traditional rules-based fraud solutions may not cope with the huge volume and high velocity of incoming requests.

Summary

The payments world is at a crossroads at which many technologies, regulations and market drivers interact. It’s obvious that the future is being shaped to offer a wider range of easy-to-use, mobile and flexible payment solutions, designed with consumer-centricity in mind and challenging the rigid framework of traditional banking. Whilst this happens, all payment actors need to be wary of fraud risks. Fraudsters are constantly evolving and may use this transitional state-of-play to their advantage by exploiting potential gaps in the payments process. Financial organisations, therefore, need to invest in or upgrade to a holistic fraud platform that uses a range of advanced techniques to mitigate against the early signs of fraud and derive actionable intelligence from data. In other words, they need to adopt a proactive strategy and reduce their fraud permeability through a hybrid ecosystem using discovery analytics, layered detection and adaptive authentication.

References

https://www.sas.com/en_gb/industry/banking/fraud-management.html