The PSD2 (Revised Payment Service Directive) is currently the hot topic across the payments industry in Europe. One of the main changes is the creation of new payment actors: third-party providers (TPPs). We will soon witness several non-banking entities enter the payments space as TPPs—for example, social-media platforms and other fintechs. In a digital world in which 50 percent of buying decisions are initially researched via social networks or other online and mobile applications, this will be a game-changer for traditional banks and financial organisations. These changes will undoubtedly open new channels and offer a wider range of value-added services, but they can also contribute to increased risk of fraudulent activities.
Elevated risk landscape
Traditional financial organisations have so far enjoyed a bilateral relationship with their customers. Things will soon change when TPPs enter the market with new services. Consequently, as custodians of the customer accounts, banks will see an even higher volume of transactions. This will be on top of requests through their existing digital channels, already challenged with growing consumer demand for mobile payments but soon to include new requests made via TPPs. As banks cannot deny access to TPPs as per the PSD2 mandate, their existing fraud-detection systems will be under pressure to cope with the new payment channels. Banks will require robust, powerful and scalable fraud-management platforms to sustain the high data throughput and the velocity of requests in real-time. The window for investigations will be significantly reduced, and banks will need to rely on advanced analytics and automation to mitigate the increased fraud risks.
New payment actors introduced.
Following the release of the final RTS (Regulatory Technical Standards), scheduled for the fourth quarter of 2018, AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers) will be geared up to offer their services to consumers, acting as intermediaries between the end-customers and their banks. The banks will remain the custodians of funds in the customer accounts, and the onus will, therefore, be primarily on them to ensure that the incoming requests are not fraudulent. Banks already face an existing challenge to secure online transactions as it stands. After the PSD2 takes effect, this problem will be further exacerbated, as the requests could be made via third parties, through which the bank will not have direct interactions with consumers. Requests made via TPPs may be susceptible to third-party fraud powered by malware or social-engineering techniques, and fraudsters could use the TPPs as an obfuscation layer to confuse the banks’ fraud defences.