While the goals of these regulations are often described in detail, they frequently fail to outline just how the requirements must be met or the steps that need to be taken to achieve that compliance. Here Sarah Whipp, CMO and Head of Go to Market Strategy at Callsign, answers the question: Is regulatory ambiguity setting banks up for failure?

Take for example PSD2, which called for open APIs and the application of stronger authentication schemes but didn’t describe how best to meet these needs. With financial institutions in somewhat of a quandary, third party groups have noticed a gap in the market and stepped in to help, such as the Financial Data Exchange (FDX), The Berlin Group and the Open Bank project, who each put forth a different approach to meeting PSD2 compliance.

The three predominant authentication schemes that are currently being used are as follows:

  • Redirect – whereby the consumer goes to a third party and when they reach the point where they provide consent, they get redirected to the holder of data, logging in via a page branded by their financial organisation
  • Decoupled – when customers provide an approval via a different channel, separate to the one where they are dealing with the third party. For example, a push notification from their banking app if they are enabling access to their bank account
  • Embedded – when the third-party processes the customer’s security creds and passes them on to the financial institution. This method won’t work with device-based authentication since underlying organisation won’t have visibility of device being used.

For international banks in particular, this presents a tricky challenge, as they must be able to not only offer each of the aforementioned authentication schemes, but all three of these for each of the third-party groups who’ve stepped in to bridge the gap with PSD2. As a result, these banks are tackling an extremely complex policy situation in which the 9 potential authentication methods are even further compounded depending on location or circumstance. In addition, for each jurisdiction these companies operate in, regulations will be interpreted differently, making a coordinated approach very difficult.

The issue lies not in the sheer number of potential authentication methods with no clear direction from the regulators, but the fact that many of these major, global banks are currently relying on the human policy manager – knowledge siloed to a few IT group team members – to comprehend these regulatory needs. Quite often these teams would have insider knowledge, almost like living and breathing black boxes. Of course, if one of these people leaves the company, they are also taking with them a huge amount of valuable information.

Instead, banks must move away from their home-grown policy managers, and evolve to a more sophisticated and transparent policy manager for which sectors across the organisation can have a say. It is not just the IT team that has to review internal policies at these and say they’re fine. Risk & Compliance right through to the Marketing function needs to ensure they are properly following protocol.

Challenger banks, those who have broken ground in the last decade or so and remain digital-first, are actually positioned much better to deal with these issues as much of their infrastructural practices are already grounded in flexible and agile practices. Thus, many banks facing these problems are established institutions, potentially embracing digital transformation in other areas of the organisation. To ensure they can remain competitive and compliant (regulations aren’t going away, they’re only getting stronger), they must also equip their policies for the future.

If these larger organisations don’t rise to the challenge they are in danger of dramatically harming the customer experience. They need to be able balance keeping their customers’ digital identities safe and as well as comply with regulations, while making sure users can get on without obstacles. By using the latest AI and machine learning, policy managers must adapt and learn in real time to achieve this goal. Implementing this technology, organisations can build multi-factor authentication journeys that are uniquely tailored to their own business, customers, products or services. Financial legislation is constantly being updated, so flexible technology will help them easily navigate any changes with relative ease.