The Europe-wide PSD2 implementation deadline will fall on 14 September. In the UK, it has now been confirmed that the official compliance deadline for that Secure Customer Authentication portion of the regulation will be pushed to March 2021. UK companies should be able to demonstrate that they are moving towards compliance from September 2021, but no enforcement action is going to be taken for 18 months. Throughout the EU in general, the timeline is unchanged. However, national competent authorities have the flexibility to provide limited more hours to become PSD2 compliant (see the recent EBA opinion).
The big picture
But whichever country you are in, it's essential that companies recognise the urgency at play. In the new digital world, payment security is completely essential. The question now is not whether PSD2 compliance should remain at the top of the priority list. It's how quickly companies can realistically achieve it. In a nutshell, PSD2 simultaneously massively increases the amount of financial data moving into banks' systems while also making it mandatory they run fraud controls with that data in real time.
As PSD2 ushers within the age of open APIs in finance, the traffic volume that payment processors will need to handle will be enormous. Consumers' private data will be at heightened risk, and we'll observe increased malware attacks and knowledge breaches via the newly created attack vectors. If businesses aren't prepared for the change, it'll be a fraudster's paradise.
Is your organisation prepared to cope with this new high-traffic and identify fraudulent activities? It may be like finding a needle in a haystack. Fortunately, AI is coming to the rescue. Emerging technologies, such as predictive models, network analytics and anomaly detection, all have the power to increase your efficiency to find and fighting fraud.
Real-time fraud detection
PSD2 is more than just a regulation. It's the oncoming of a major transformation for the payments industry. Using the move to digital-first, open models, likely to increased need to operate processes in real time – providing instant payments, for example – and that means that fraud prevention will have to move at the same speed.
Adequate anti-fraud protection is required by the regulation. Banks are required to fill out certain tests as a fraud assessment, including reviewing behavioural profiles, checking known compromised devices and IDs, applying known fraud scenarios to transactions, and detecting malware signs. Analytics can help speed up detection, find suspicious behaviours and collate data points by ingesting new data sources. This builds a picture of “normal” behaviour against which banks can measure transactions.
At present, not all banks are applying all these anti-fraud measures. Some base their protection on simple rules and can't detect fraud in real time or stop transactions happening. These abilities aren't technically required by the regulator until PSD2 comes into effect. Real-time fraud prevention was once a luxury – but now it's a must-have. Banks will need to take the initiative to ensure they are able to detect fraud in process in incredibly short time frames.
Third parties enter the market
The other major change contained in PSD2 is the arrival of third-party providers in the market. These nonfinancial companies, including GAFA (Google, Amazon, Facebook and Apple), e-tailers and fintechs, can work as payment processors going between customers and banks. This means the banks have a much bigger traffic volume to handle and review for fraud. Legacy systems and procedures simply can't handle it.
In order to cope, banks need to have systems in place that are able to assess for fraud at huge volumes as well as in real time. Not only that, but transactions from organizations might come with limited contextual information. So banks will need to enrich them with additional data on variables including digital identity, reputation and past behaviour.
AI applications is going to be essential to handle that ongoing enrichment as fast as possible. Humans alone simply can't procedure that level of information. So it's essential that banks invest in AI to augment the skills they have and lighten the burden of compliance.
Managing the risk
The risk to banks resulting from these growing data streams is not just in terms of payment fraud. There's also a heightened cybersecurity risk. New data flows and new payment systems present possible system back doors and new attack vectors that hackers is going to be quick to discover. By attacking 3rd party infrastructure, malicious actors will be able to gain access to consumers' personal data.
Addressing this issue is not the sole responsibility from the banks. But it highlights the amount of risk associated with the increase in data volume and connectedness. Reputational damage and heavy fines are a very real possibility for institutions that do not get their act together in time.
Compliance will require many changes to anti-fraud and customer identification processes. We've got the technology required to handle this additional burden is out there. Banks must invest wisely and ensure they are fully equipped, whether the following month or by 2021.
SAS will be attending the 2021 SIBOS conference working in london, where PSD2 will be a key item on the agenda. Visit our stand to find out more about how AI could help you get ready for the deadline.