POINT OF VIEW
Retail Banking is in the middle of a digital revolution with mobile technology heralding the biggest change for retail banking consumers since the credit card.
This is great news for anyone with a bank account and a smart phone. You can now bank conveniently with shopping in one hand, phone in the other, and hailing a taxi.
This is great news for anyone with a bank account and a smart phone. It also represents a huge opportunity for banks to cement their relationships with customers and become part of their day-to-day lives via the device in their pocket. But there are potential dangers and banks with customers’ safety in mind need to beware.
The advent of PSD2 regulation
PSD2 follows on from the original Payment Services Directive adopted by the EU in 2007, by enhancing customer rights in areas including complaints handling, introducing new rules on surcharging and currency conversion, enhancing security through SCA (Strong Customer Authentication) criteria, and enabling third-party access to account information, thereby providing a framework for new payment and account services through Open Banking.
What will the impact be?
Customers are already hearing about banking apps that will streamline their accounts. So called “aggregator apps” will allow people to check balances across a range of accounts from one portal, and this is just the start. There is a myriad of ways in which our banking and accounting lives can be made easier, and the EU would like as wide a range of developers as possible to have the chance to design them, taking responsibility out of the hands of the banks themselves.
But for this to happen, third party developers need to be given access to the banking infrastructure – the plumbing that allow the information to be extracted and payments made. Such a move, it is argued, will be a huge boost to the digital banking economy.
You only have to look at the Apple “app-store” model to see that allowing mobile-app developers free rein to be creative can lead to a vast array of useful services for the individual and huge returns for the creatives themselves.
Tell me more
Creatives have long been allowed access to the major phone providers’ app stores to sell their creations. Apart from being horribly addictive, games like Fruit Ninja and Candy Crush are pretty uncontroversial – customers can pick and choose what to buy with very little downside. But the moment you allow third parties to create banking apps you are playing a very different game.
This requires access to the internal banking infrastructure which has previously only been used by the regulated banks themselves. PSD2 legislation will see this opened up to all.
Open Banking and PSD2 will usher in a new era of digital banking, but how a bank reacts to this will determine its success in the future. This is about competitive advantage as much as conformance to regulation. Those that simply nod to the regulator, instead of viewing this as a digital transformation opportunity, will ultimately increase their operating costs and may find themselves with an uncompetitive business model in the face of new realities.
New world challenges
Banking apps need to be secure and regulated in a way that allows developers to innovate… and that’s exactly what Open Banking UK has achieved.
All developers of banking apps will have to register to obtain permission to provide payment services and to gain access to a bank’s interfaces (API) and account information.
The bank will only be able to prevent access to accounts via third party account information services if it has evidenced the activity is unauthorised or fraudulent.
There will also be rules on liability and transparency of charges to protect customers.
However, by placing a third party between the bank and their customer the opportunity for fraud is vast. What’s more, the opportunity also exists to observe huge numbers of transactions over time to identify patterns and vulnerabilities. A massive quick hit or a slow penny at a time fraud are both all too conceivable scenarios.
Can you cope with increased traffic?
The core banking systems still in use today were built 70 years ago to support a network of 1,000 branches. Many have been reinforced and extended since then to cope with increased traffic but are they robust enough to deal with change on this scale?
What is the risk to your brand?
There have been many examples of banks whose infrastructure has failed publicly and spectacularly.
Just days into 2016, HSBC became the first bank to suffer a major IT outage. Last June, the RBS Group were impacted by a technical glitch which affected 600,000 transfers, the fifth outage for them in three years. It’s very public and it’s embarrassing. With phone banking being served up by third parties the risk is even higher, and it won’t be the app developers whose brand is called into question.
What is to be done?
Responsiv expertise can help your business move to the new reality and technology solutions are available to prepare your business for the challenges discussed.
Event orientated architecture
This means pushing information to people before they ask for it. Customers tell you how they would like you to engage proactively with them and register their personal preferences, ushering in a new era of personalisation. Not only is this a great selling point, but by anticipating demand, heavy loads can be kept away from the back end of the system.
Consider an application building tool kit
There are likely to be hundreds of people wanting to build mobile banking apps and as we know an application which gets between you and your customer can leave you vulnerable. But what if you develop your own security to protect customers?
The app provider can still do their thing, but by leveraging the secure element on the smart phone you can let your customer use their own credentials to get access to their own information without ever giving it away to the third party.
Introducing analysis of application traffic to detect anomalies
Monitoring the analytics will help banks to manage risk by looking for and flagging up any unusual patterns of behaviour – those which we consider to be harbingers of danger; for example, numerous accounts being accessed from one unrelated web address. Suspicious activity could then be stopped immediately.
Get set for the digital revolution
New technology provides us with some huge opportunities but also some new risks. Banks are very good at understanding risk, but digital banking introduces a wholly new set of problems. Identifying such problems, dealing with them early and managing any corporate risk that arises has to be front and centre of your strategy when managing the undoubted benefits of this exciting digital future.
Responsiv deliver and host PSD2 compliant hosted gateways to support your Open banking initiatives in a sustainable and secure way. We also provide consulting services to maintain alignment with the standards, and to help you to leverage your PSD2 investment.
Richard Whyte has been building enterprise IT solutions for over 20 years. He is known for creating innovative practical solutions that provide a strong foundation for future development, whilst solving immediate problems. Previously the European CTO and Principal Architect for IBM Systems Middleware at IBM, he has an MBA, a degree in Statistics and Computing, is a Chartered Engineer, a Chartered IT Professional, and Fellow of both the Institute of Technology and the British Computer Society.