Mobile banking is shifting gears with PSD2
Mobile devices are the backbone of digital transformation, enabling new innovations such as smart cities and connected cars but they are also the backbone of disruption in the digital banking world, writes Howard Berg, the senior vice president and managing director for Gemalto UK.
They can transform a bank from a distant place you go to occasionally, when you need something in particular, to a trusted partner who is always there, within reach, ready to help. In the European banking industry, mobile devices are about to bring a major shift. And many actors in the financial sector are underestimating the drastic changes that are under way.
The financial sector has always been a pioneer in taking advantage of technology, helping consumers to adapt quickly to new opportunities. And mobile banking is no exception. We recently conducted a survey among end-users around the globe about their expectations regarding smartphones and mobile devices until 2025, and the role of banking and payments is hard to ignore. Already, seven in 10 consumers use an app for online banking, while more than four in 10 have dedicated software to make mobile payments via their phone. And these figures will probably grow, because the opportunities in the mobile world are huge. Most urban areas will soon become spaces for hyper-connected societies, and a vast majority of users are open to new digital payment channels.
PSD2: The game changer
So it’s clear that mobile devices are poised to become hubs for banking, payment and other financial services. But this brings on new challenges, which banks and other financial institutions need to understand.
First among these, the European financial services industry must get ready for the Revised Payment Services Directive (PSD2) that voted in by the EU Parliament in 2015. Governments of the member states are currently in the ratification process, and by the beginning of 2018, PSD2 will obtain legal force in most EU states.
The aim of this Directive is to foster innovation by increasing competition and opening the financial services market to more actors. In the case of mobile payment, this opens the field in particular to software vendors and Internet giants such as Google, Amazon and Apple. The reasoning is simple: They can use their know-how to provide user-friendly apps and services for mobile banking and mobile payment. With PSD2, they will be able to access information on customers’ bank accounts – with the customer’s consent – and provide new and tailored services – such as alerts when they are spending too much, perhaps in a given category of products.
PSD2 also brings plenty of opportunities to existing financial institutions. For example, banks can gain a deeper understanding of their own customers by accessing the accounts they hold at different banks – again, with the customer’s consent. Imagine the opportunities this would open: new and innovative services, new revenues streams and deeper customer ownership.
A key advantage that financial institutions have is security. Users expect better protection as a basic condition before they adopt new products. When asked about the most important attribute of an app, 80% cited reliability and security, followed by convenience and speed at 60%. With their heritage and experience, banks can provide both trust and usability simultaneously.
The Revised PSD is a strong and impactful directive. Players in the field now face a double challenge: They have to get ready for the age of mobile banking, while following its other requirements – one of which is the mandatory implementation of Strong Customer Authentication (SCA).
SCA requires banks to authenticate users via a device (“something you have”) plus a PIN (“something you know”) or biometric feature (“something you are”) when making payments in the field. Two of these must be applied, otherwise the payment is not valid. Modern smartphones already support biometric identification, but some key issues remain for financial services providers. How can they make the mechanisms work, and merge the technology into a mobile service? How can they ensure security?
Understanding the mobile challenge
Given how dynamic the market is, financial institutions will have a hard time providing the required security by themselves. Instead, they need to find trustworthy partners that bring the necessary expertise. Security mechanisms are not standalone issues: they must be applied as part of a layered security approach. Even the most high-end biometric facial recognition is useless if weak encryption mechanisms are applied or Man-in-the-Middle attacks are not prevented.
Cyber criminals use existing malware and malicious tools. To keep up with the threat, organisations need to integrate existing intelligence and know-how – there is simply no time to start from scratch. More than other payment mechanisms, mobile payment needs to rely on strong and reliable security solutions. These solutions must therefore provide proven mechanisms such as code obfuscation, encryption, key protection with appropriate key management, device binding, and root and jailbreak protection.
Another challenge is to make sure it is easy for consumers to use. This means finding ways to bring transaction authentication and validation onto end-user devices without compromising security. Technology can turn a smartphone, or even an IoT device, into a universal key – but there is no room for error.
Trust: the new enabler
While PSD2 opens up new opportunities for financial institutions, it also puts a burden on them: they need to understand that gaining trust is a fundamental challenge.
The rapid pace of mobile adoption unleashes the potential of innovative services, new revenue streams and deeper customer ownership. But it can only continue if all players adopt matching security measures.
The opportunities are huge – especially for banks. Their experience and reputation gives them an advantage, but they need to adapt quickly. In less than one year, PSD2 will come into force in most EU states. Meanwhile, new service providers are entering the market. They might lag behind in terms of experience in the financial services sector, but often already have a strong customer base they can upsell to.
Security and data protection are therefore crucial if people are to adopt the new habits that will unleash the full potential of mobile banking disruption. Customers will remain loyal to financial institutions, if they feel that their data and their money are safe. They are also more likely to use new products for a longer time, if these prove to be secure. Banks can become their partners. All they need is trust.