PSD2

The Key to PSD2 Adoption? Mobile Phones!

On January 13th, 2018 the Payment Services Directive 2 (PSD2) becomes national law across the EU.

Depending on whom you ask – and to a large degree what their vested interests are – PSD2 will either have little effect, or be a FinTech game changer that will kill banking as we know it.

From the bank’s perspective, they clearly don’t want change. They have been front and centre for generations when it comes to consumer interaction, and the data they have collected is a major source of their power. Start-ups on the other hand, need a way in, and access to that data is a very good place to start. Whoever controls the consumer directly, will have the best chance of controlling the consumer’s financial choices.

PSD2 itself is supposed to promote 2 things:

  1. Make it easier and safer to use internet payment services by better protecting consumers against fraud, abuse, and payment problems as well as strengthen consumer rights; and
  2. Promote innovative mobile and internet payment services. [competition in other words].

The first applies no matter who you are, bank, service provider, or merchant. Combine this with General Data Protection Regulation (GDPR) and everyone needs to protect personal data.

The second however, is supposed to create a so-called ‘level playing field’, but can start-ups truly compete against the big banks who already have the direct consumer relationship?

Innovation is not the problem, FinTech is busting at the seams with new ideas, but none of them mean much unless they are adopted by the masses. What do they have to do to displace a bank, when the chances are they will not actually be providing banking services as we understand them? And what exactly areinnovative mobile and internet payment services” in this context – and to the point of this blog [finally] – how are mobile devices going to make all the difference?

Counterintuitively, mobile phones will actually improve security. You only have to look at the sheer number of each authentication factor of which the modern smartphone is capable to realise that traditional banking apps just don’t cut it. From passwords / passphrases, to fingerprints, to geo-fencing, to whatever comes next, your phone gets as close to true identity management as any device can.

That’s not to say mobile phones are secure, they are not, and this is one of the biggest hurdles to overcome. A bad guy ‘hacking’ into one of your banks accounts is bad enough, now imagine them hacking into an app that controls access to all of your finances. Money management apps is one of the greatest potential benefits of PSD2, and one of its scariest.

As for how mobile devices will aid PSD2 adoption, you only have to look at the trends. According to Statista for the UK:

  • By the end of 2017 66% of the UK’s population will be using a smartphone – That’s 43 million people, and given the demographic, they control the lion’s share of the UK’s wealth.
  • In 2015, 58% of all smartphone owners used banking apps

It follows therefore that a good chunk of that 43 million will be using their devices for a lot more than Facebook.

The only statistic that does not back this up, is adoption of mobile payments. Despite the Apple Pays/ Samsung Pays, and the plethora of digital wallets, mobile payments have in no way realised their potential. This is not the fault of the smartphone, this has to do with the inability of the payment apps to provide any sort of value-add. From loyalty point, to instant coupons, to ratings and reviews, payment apps are not improving the BUYING experience, just adding a payment option.

PSD2 will change all of that. When you have an app that can not only help you find the best price for something, but give you the best purchase choices based on your combined financial history, now you’re providing true benefit. It’s not about how you pay, it’s about how you buy.

Yes, you can do all of this through a PC / laptop, but on what device do you spend the majority of your time online?

[If you liked this article, please share! Want more like it, subscribe!]

 

PSD2: Where is the FCA?

On 12 January 2016, the revised Payment Services Directive (EU) 2015/2366 entered into force in the European Union, and will apply from 13 January 2018.

Anyone know what ‘apply’ means in this context?

On August 12th, the European Banking Authority (EBA) released its Consultation Paper “On the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2“. There have been many articles since then trying to explain what it means, at best these are educated guesses.

All other RTSs and Guidelines entrusted to the EBA won’t be available until January 2018. Classification of Major Incidents for example.

So as the UK’s ‘competent authority’ for PSD2, it’s surprising – and more than a little disappointing – that they have so far provided zero guidance, and won’t until sometime in 2017.

For example, the most pressing questions are:

  1. If January 13, 2018 is the date when PSD2 will ‘apply’, does that mean that’s when Account Servicing Payment Service providers (ASPSPs) have to make “at least one communication interface enabling secure communication” available? Or do they have until October 2018 at the very earliest (per the Consultation Paper)?
    o
  2. What happens to ASPSPs if they aren’t ready? Are there penalties?
    o
  3. When will the FCA begin the certification process for Account Information Service Providers (AISPs) and Payment Initiation Service Provider (PISPs)?
    o
  4. Do ASPSPs already qualify as AISPs and PISPs if they currently perform these functions?
    o
  5. Does the FCA have final say in liability?

I was fortunate enough to give a series of PSD2 presentations last week to a large ASPSP, and it was clear that there is significant confusion and frustration surrounding it. I know the legal teams of the larger organisations will already be lobbying the FCA, but I think it’s about time some of these conversations get translated and filtered down to the masses.

Of the 50 people I trained in those 3 days:

  1. PSD2 knowledge was very low;
  2. So far they have received little guidance from senior leadership;
  3. 85% were more scared than optimistic;
  4. Only 10% saw any opportunity for their organisation, the rest saw their jobs threatened;
  5. Almost all saw PSD2 primarily as a force for disintermediation of the card schemes, acquirers and issuers;

Clearly this organisation is not alone, and all the planning in the world will do nothing without a goal in mind. What will PSD2 look like in 2018? What can organisations do NOW without definitive guidance? Is there really enough information out there to warrant investment at this stage?

No organisation wants to invest in business transformation without 2 things; 1) clear opportunity for doing so, and 2) clear guidance from the competent authority. Also, no organisation wants to be first while there is so much uncertainty, but no organisation wants to be last. The advantage in this respect is clearly with the new entrants in the market, not the incumbents.

All that said, wishful thinking is going to get us nowhere. The FCA will jump in only when they are good and ready, it’s up to us to do what we can in the meantime.

Here’s what senior leadership at ASPSPs could be doing:

  1. Ensure the conversations between the legal teams and the FCA are filtered down to all staff – If you’re not having these conversations with the FCA, you must start;
  2.  Set-up a task force to examine opportunities related to Access to Information (XS2A) – You’ll have to give your customer’s information away for free, don’t you want the same from your customer’s other ASPSPs?;
  3. Set-up a task force to examine opportunities related to innovation in payments – Like it or not, existing payment channels will see significant competition. Don’t be Kodak, or Blockbuster, or IBM…;
  4. Set-up training opportunities for as many staff as possible, in-house or 3rd party. – Uncertainty kills motivation, you cannot let this turn into fear; and
  5. Take a long hard look at your mobile apps and APIs, these things will have very significant impact down the road. – You cannot be left behind where customer convenience is concerned.

The time to prepare is now, the time to panic is a long way off. This may sound strange given everything I’ve written up to this point, but look at it this way:

  1. Innovation in payments will only be relevant when consumers ask for it – Just look how little impact Apple Pay and the like have had. Why would it, when it’s no more convenient or value-add than the plastic they are trying to replace.
  2. Regardless of the January 2018 date, you have years before current payment methods begin their inevitable decline – Make smart choices, don’t make choices based on perceived deadlines.
  3. Your customers are yours to lose – YOU have the existing relationship with your customer, new entrants in the game will be at significant disadvantage. Unless you do nothing.

The PSD2 is a good thing for consumers, it’s really up to ASPSPs if this is mutual.

[If you liked this article, please share! Want more like it, subscribe!]

Biometrics Advocates, Get With the Bloody Program!

In just the last week, these are two of the articles paraded by the ‘Biometrics For eCommerce’ group on LinkedIn, both of which are taken from PYMNTS.com;

Is Biometrics Putting The Nail In The Password’s Coffin?

Is It Time To Cash In PINs For Biometrics?

My question is; Just how dumb do you have to be to wage a war against your own side? You don’t see The Times and The Sun slagging each other off, or Lexus and Toyota competing for the same demographic, do you? And why not? BECAUSE THEY ARE ON THE SAME DAMN TEAM!

So why is it that biometrics advocates feel the need to pick on passwords / PINs? I can only imagine it’s something like a school bully who only picks fights he thinks he can win, or perhaps they realise that biometrics is nowhere near the panacea they want it to be so they have to compare it against the lowest common denominator.

And let’s face it, that’s exactly what PINs are; the lowest form of password, which is the simplest of the 3 forms of authentication. That’s why it’s so prevalent, and orders of magnitude more accepted and consumer friendly than any form of biometric. But it is also the cause of all of their limitations, which are not inconsiderable.

However, instead of trying to kill the password /PIN, what’s wrong with taking the position of collaborative support? PINs are inadequate for some scenarios, just as biometrics are wholly inappropriate for others. Addressing the factor of authentication outside of the context of risk is no different from asking how long is a piece of string.

What about consumer preference? Is ANY financial institution or bank going to enforce a ‘biometrics-only’ stance? Not unless they are irretrievably stupid.

What about device capability? Are we going to force all 7.3 billion people on the planet to buy the latest smartphones? More than 2/3 of all mobile phones are still not biometrics enabled, do you really see passwords / PINs going away ANY time soon? No, nor do I.

Even for those with smartphones, who’s to say that the something-you-know has to be a passWORD? A picture of your own choosing will suffice. Or special characters in place of numbers perhaps? How many people out there speak Klingon? All you have to do is remember SOMETHING, and the smartphone could not make that easier (especially for those with learning disabilities).

Clearly my blog’s limited reach will have no impact on those too short-sighted or just too plain greedy to adopt a collaborative approach to authentication and identity management, but like almost all FinTech’s disruptive innovators, those going it alone will fail. Biometrics has finally, and rightfully, taken it’s place in the arsenal of weapons used against the bad guys, but for now advocates seem Hell bent on using them against their own friends.

In the end, only multi-factor authentication will win the day. Biometrics will be a big part of that, but the mobile phone (something-you-have) itself will be even bigger, and something-you-know will never go away.

Nor should anyone want it to.

What Will 2016 Be “The Year Of” In Payments?

I guess it’s quite prophetic that 2016 is the Chinese Year of the Monkey, though I suspect that the Year of the Headless Chicken will be a little more accurate.

Every year, someone either predicts a ‘Year of x‘, or claims that the previous year was ‘The Year of y‘, and usually it’s the very organisations with a direct vested interest in the technology in question. 2015 was the Year of Biometrics, 2014 was the Year of Encryption, and so on.

Thankfully the financial industry at large took a step back and put these, and many other technologies, into an appropriate perspective. Mostly. Especially biometrics, where numerous vendors were dribbling all over themselves when Apple Pay finally hit the mainstream. We heard cries of “The password is dead!” and “Biometrics is the future of authentication!”, all of which was utter nonsense in light of the Payment Services Directive 2 (PSD2).

Yes, many banks have invested significant sums in biometrics (usually to enhance their mobile banking app security), and no, these investments will not be wasted, but from what I’ve seen most of them have missed the point; that authentication is just a temporary means to an end.

The result is that those Hell bent on disruption will fail without collaboration, those with a single authentication technology will fail without partnerships in a multi-factor solution, and those interested only in keeping things the same will be left behind. The only hope of achieving a balance between all of these things is to ask the only stakeholders who have no idea what they want;

The consumer.

Even after a few years of dramatic changes and innovation in payments, what everyone seems to have missed – or at least underestimated – is that payments (or finance in general) is far too complex for the average consumer to understand. In my opinion it’s been made too complex to even be sustainable, especially when you consider that the concept of a payment is actually very simple; I have a value stored here, and I want to transfer it over there in exchange for a product or service. HOW that happens should not be the consumer’s concern, only the security and efficiency of that transaction should.

I have no problem paying my bank to protect my stored value (i.e. money), as long as it’s reasonable. I have no problem paying someone to protect (and accept liability for) the transfer of that money somewhere else, as long as it’s reasonable. What I DO object to is the numerous intermediaries in the current system who not only make the process expensive, but ridiculously slow and inefficient.

But what I really want is for payments to go away entirely, at least from my perspective as a consumer. I want the HOW of the payment to be handled in the background, and the decision made by a trusted third party who found the best all-round deal for the product/service of my choosing. Whether that’s finding a plumber, or shopping for groceries, the only innovations I care about are ones that take care of the things I hate doing; like filling out online payment forms, or lining up in Sainsbury’s to pay for a pint of milk.

So, in truth, 2016 will likely be the Year of Nothing Much Happened. Truly beneficial change will take a long time, and while the pieces necessary for innovation are already available, getting all of the stakeholders to agree on the way forward will extend way beyond this year, and likely next.

I’m hoping that 2016 will actually be the Year of Getting the Future-State Plan Right, but I somehow doubt it.

 

Biometrics vs. Passwords: A Fight No-One Can Win

Thanks to Apple Pay, then Samsung Pay, biometrics companies have seen a tremendous surge in consumer interest, to the point where they are now falling over themselves trying to be seen as the authentication standard that replaces the password.

No doubt the numerous breaches that were apparently the result of weak password authentication will have these same companies in a feeding-frenzy of finger-pointing and I-told-you-sos. This is more than a little inappropriate, as biometrics not only has some of the same weaknesses, it adds layers of complexity and risk far above those to which passwords are exposed: at least you can change a password.

If you take 1800s transportation as an analogy, the answer was not to breed faster and stronger horses. You repurposed what you had (including the horses), coordinated a huge array of other industries and innovations, and worked TOGETHER to build something exponentially better.

Authentication now finds itself at a crossroads, and like most things in the Digital Age, there is no one right answer. The only certainty is that it will be the mobile devices that will be at the center of taking payments and authentication innovations to the mainstream. If you can’t put your authentication mechanism on a smartphone it simply won’t be adopted.

One answer which is simple, and brings the benefit of using both passwords (in the form of customer PIN) AND biometrics (in all its forms) is now available. No single factor of authentication is enough, and each one has its strengths and weaknesses. By combining multiple factors, you not only negate the limitations of each, you ensure that security is significantly more robust. The whole, in this case, is much greater than the sum of the parts.

The longer the password is, and the more of them you have, the more difficult it becomes to keep track. But the simpler the password, the easier it is to crack. Biometrics is relatively more convenient, but is prone to false positives, and once known from a physical perspective, can never be changed. So each factor is not ideal by itself, but combining a simple password, like a PIN, with biometrics, device registration and geo-location, presents a much more resilient hurdle.

We believe that poor design can lead to overly complicated solutions, and authentication mechanisms are no exception. Making a payment should actually be simple, as it’s just a transfer of value from one place to another, it’s the fact that we have MADE them complicated that makes them unsecure.

The average consumer is used to entering a PIN or a password and their smartphones should now be able to take care of the rest in a way that they hardly even notice it happening. Only in this way can we achieve the security we need, with the convenience required to make implementation practical.

For the payments sector to build the next generation of consumer solutions, individual vendors need to stop focusing on themselves and be more collaborative.

[Ed. Written in collaboration with www.myPINpad.com]