Jay Floyd, Senior Principal Financial Crime Consultant at ACI Worldwide, offers Finance Monthly his thoughts on how banks can keep pace with payments innovation to better protect consumers.

Contactless and digital payments have without doubt grown in popularity during the last year, accelerated by the COVID-19 pandemic and consumers trying to avoid using cash to reduce the spread of the virus. As a consequence, the contactless limit in the UK has recently been increased to £100. While a welcome move for both consumers and the payments ecosystem, this increase comes with the inherent risk of more fraud.

It means a consumer with four debit cards on them now carries a minimum of £400 worth of payments without a PIN, rather than the current £180. This figure is actually likely to be higher, given issuers typically allow five consecutive transactions to be made before a PIN is requested. In this example, that could be up to £2,000 worth of payments. This means your leather wallet is now worth a lot more to a thief than before the limit rise.

As we face one of the worst economic challenges since the 2008 financial crash, banks need to make sure their fraud protection measures are up to scratch. And there needs to be greater consumer education about the risk of making a payment which many now view as a simple ‘tap and don’t think’ action.

Contactless paves road for payments innovation 

Today’s consumers want access to fast and seamless payment experiences. In my view, contactless payments and the increase in limits will pave the way for greater payments innovation in the years to come.

For the broader payment landscape, it’s real-time payments that are leading the way for increased innovation and the growing adoption of different payment technologies - such as QR codes for payments and digital wallets.

Today’s consumers want access to fast and seamless payment experiences.

However, new payments methods and processes always present new opportunities for crime. The recent increase in real-time payment transactions in the UK has sparked an increase in fraudulent activity. UK Finance recently reported that in the first half of 2020, £207.8 million was lost to Authorised Push Payment fraud, with financial institutions only able to return £73.1 million of losses to victims.

The pandemic has further accelerated our move towards a more digital world. While the number of physical bank branches had been declining for some time, recent announcements highlight a rapid acceleration in the closure of bank branches since lockdown. During this process, criminals have adapted their methods of committing fraud, taking advantage of the rising use of contactless and real-time payments. With the adoption rate showing no signs of slowing down, banks need to adapt to the changing landscape and equip themselves with the right measures to protect customers from fraud.

Real-time fraud management solutions will increase fraud detection

Effective fraud prevention requires solutions that can detect all possible types of fraud, across all channels. Real-time payments for example track every step of the transaction processing lifecycle instantly. The good news for banks is this means fraud detection can be instant too.

Through real-time fraud management solutions, banks can increase fraud detection accuracy with advanced machine learning (ML) models to make better informed and faster decisions. It also ensures banks can be confident in remaining compliant with all fraud regulations - such as PSD2 and Anti Money Laundering directives - while delivering the ultimate customer experience.

Combining real-time payments data with ML, network intelligence and community fraud signals, fraud teams can detect fraud to improve overall fraud prevention rates at a much faster pace. Real-time fraud prevention solutions can perform millions of fraud checks within seconds and continuously learn from the data to become more accurate and effective over time.

[ymal]

Avoiding the financial crime of tomorrow

Fraud trends are moving fast and ultimately fraudsters will always find new ways to make money illegally. While banks have put in place numerous fraud prevention measures since the start of the pandemic, spending habits will continue to change, and they must be prepared to protect customers - and themselves - from the financial crime of tomorrow.

By taking advantage of the benefits of real-time payments technology, banks can put themselves in the best position to detect fraudulent activity and protect consumers and ultimately their reputation.

This ongoing disruption, coupled with changing consumer behaviour characterised by the growing preference toward mobile and online services, is driving regulatory changes that are shaping the future of finance.

While this is happening to varying degrees in regions and countries around the world, there are local nuances to consider. This is particularly true in the United Kingdom, where speculation is rife around what the future will hold for the UK following its departure from the EU and the impact this will have on financial services.

As one of the world’s leading financial centres, the UK is well-positioned to keep pace with changes in the industry. But in terms of regulations, there are still several questions around how the UK will adapt, what legislation it will adopt or modify, and what impact this may have on the wider EU region.

Post-Brexit PSD2

The Payment Service Directive 2 (PSD2) has been a linchpin of European financial regulations since its introduction in 2018, increasing security for online transactions and encouraging more competition through open banking.

The transition period ended on 1^st January 2021 and enforcement of PSD2’s Strong Customer Authentication requirements for merchants will take effect at different times. The EU’s deadline is on 1^st January 2021 while the UK’s is on 14^th September 2021, which will no doubt cause a great deal of confusion for consumers.

It’s well known that digital currencies have – in their relatively short history – been used for illegal activities, so building trust in the technology through compliance will be a key focus for regulatory bodies in the future.

In the case of a no-deal Brexit, a draft version of the UK Financial Conduct Authority’s (FCA) Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Open Standards of Communication indicates that the UK regulators would continue to accept the EU’s eIDAS certificates (or electronic Identification, Authentication and Trust Services) for authenticating third-party providers to banks. However, the document also recognises that UK entities may require alternative methods, suggesting that both routes are still on the table.

Discussions are still ongoing, but time is running out. As security is a key component of the directive, mandating the use of transaction risk analytics and replication protection in mobile apps, any new UK-specific variant will have to ensure that consumers remain protected and banks can still offer fully seamless digital experiences.

Driving digital identities

Some of the biggest regulatory developments throughout 2020 have come in the area of identity verification, with COVID-19 accelerating digitisation initiatives and investment. As an increasing number of customers are either reluctant or unable to visit a bank branch, fully digital and seamless identity verification has become a key requirement for remote account opening and onboarding.

This is an area where regulations – such as Know Your Customer (KYC) – play a key role, and where authorities have had to move quickly. For example, in response to the pandemic, the UK FCA issued guidance on digital identity verification permitting retail financial firms to accept scanned documentation sent via email and ‘selfies’ to verify identities.

This was supplemented by a 12-month document checking service pilot launched by the UK Government in the summer. Participating private sector firms can digitally check an individual’s passport data against the government database to verify their identity and help prevent crime.

And this is just the beginning. There are plans for private-sector identity proofing requirements and work being done to update existing identity-checking laws to become more comprehensive. Perhaps most significantly, the UK government plans to develop six guiding principles to frame digital identity delivery and policy: privacy, transparency, inclusivity, interoperability, proportionality, and good governance.

This all points towards a financial future that will be driven by digital identities. With customer behaviour likely changed forever, digital identity verification will be essential to improving the remote onboarding experience, while also minimising the threat of fraud and account takeover attacks.

The evolution of AML

Anti-money laundering (AML) legislation is also set to progress in the future, driven largely by an increasing focus on cryptocurrencies. Digital currencies are currently garnering plenty of attention from European regulators, as illustrated by the introduction of the 5^th Anti-Money Laundering Directive (AMLD5).

EU member states were required to transpose AMLD5 into national law by the beginning of the year, with the goal of preventing the use of the financial system for money laundering or terrorist financing. One of the directive’s key provisions focuses on restricting the anonymous use of digital currencies and, as such, it now applies to both virtual cryptocurrency exchanges (VCEPs) and custodian wallet providers (CWPs).

VCEPs and CWPs that were previously unregulated must now follow the same rules as any other financial institution, which includes mandatory identity checks for new customers.

With the role of cryptocurrencies in our financial system expected to increase significantly over the coming years, we can expect European regulations to continue in this vein – particularly in a leading FinTech nation like the UK. It’s well known that digital currencies have – in their relatively short history – been used for illegal activities, so building trust in the technology through compliance will be a key focus for regulatory bodies in the future.

2020 has certainly been a year of upheaval for financial services regulations and we can expect this trend to continue into the new year. With digitisation in the industry evolving at a rapid rate, governments and lawmakers will have to work hard to keep pace. As the EU and the UK have shown, the future of finance will have plenty to offer.

Finance Monthly hears from Wayne Parslow, Executive Vice President for EMEA at Validity, as he explores what the financial services sector stands to gain from better handling of its data.

Financial firms face an increasingly complex minefield of regulations when it comes to handling data. The sector has so many acronyms that it’s often difficult for a layperson to wrap their head around them. Unfortunately, finance companies don’t fare that much better, and can be overwhelmed by seemingly infinite customer data management requirements.

Whether it’s ensuring appropriate customer data storage under GDPR or securing payments processes under PSD2 and PCI-DSS, there’s a host of regulatory pressures for managing the financial customer relationship chain.

Regulatory bodies are certainly not toothless when it comes to enforcing punitive measures, either. At the end of 2020, the ICO issued fines to both OSL Financial Consultancy Limited and Pownall Marketing Limited for misusing personal data.

Data Management Difficulties

Ensuring data held by finance firms is accurate, up to date and, equally importantly, used appropriately is a shared goal for both the regulator and financial institutions. However, with the pressures put on financial firms by the pandemic, there’s a good chance that data management best practice has taken a back seat in favour of ensuring business continuity.

This is a misstep, as the two key fundamentals of data – data quality and data governance – should be tied into the basic operations of a financial services firm. With strong data foundations, financial services firms will be in a far stronger position to navigate the upcoming uncertainty of a post-pandemic world.

Ensuring data held by finance firms is accurate, up to date and, equally importantly, used appropriately is a shared goal for both the regulator and financial institutions.

Having data quality and governance work in concert to support one another does not simply ensure regulatory compliance, though. The value of data for driving successful business outcomes has already been proven, and businesses which employ a data-driven strategy are growing 30% year-on-year. Higher data quality also delivers stronger customer relationships and greater engagement.

Curating Quality

Data quality is not a once and done operation. For financial services in particular, it’s a complex, continuous network of processes and actions that must be continuously maintained as new data is collected, augmented and edited by the organisation.

First and foremost, a finance firm must take stock of the current state of its data. Given the rapid changes that have occurred over the past year, it’s essential to reassess data for accuracy, completeness, duplicates and inconsistencies. Firstly, data needs to be housed correctly so that it can be profiled accurately. Profiling their data enables financial organisations to ensure it is right for the business’s current needs, can be easily analysed and reported on, as well as being able to more easily check whether it is up to date.

Deduplication

A common barrier to data quality are duplicates. Many regulations require data to be up to date, and for customer data to be removed under certain circumstances (i.e. when a contract is terminated). Whilst a firm might believe it has done its due diligence under these circumstances, leaving duplicate data behind poses a significant compliance threat and risks inappropriate or even illegal communication. To have a consistent, complete view of its customer data, a financial firm must be proactive with the management of deduplication. It’s a simple yet effective process that can make a huge impact, but requires an investment in the appropriate tools.

Leaving duplicate data behind poses a significant compliance threat and risks inappropriate or even illegal communication.

Security and Enhancing Data

The end user is typically identified as the weakest link in the security chain, and many breaches reported to the ICO stem from simple user error, whereby an employee downloads a confidential document to a laptop which is then lost or stolen, for example.

With the move to remote working last year, many businesses wisely took the step to upskill their now remote workforces with additional security best practice training to help mitigate the additional cybersecurity risks.

Organisations can take additional steps to ensure errors that create vulnerabilities, such as the laptop example above. Employees will often adopt methods that help them get their jobs done most efficiently, even if these deviate from security best practice. Standardising data is a crucial step to enabling it to move through the organisation in the correct, and secure, way – regardless of location.

For example, if finance needs to produce reports based on the outgoings of a few different international teams, putting best practice standards in place as basic as how titles and regions are entered means this can be completed more efficiently, easily and securely across the board.

Alongside profiling, deduplication and process standardisation, verification needs to be a top priority, and should take place as data is collected. Using external sources, both prospect and existing client data should be verified (provided, of course, that consent has been given for these external sources to be used in this way). Enriching data in this way ensures finance firms get a better ROI from marketing and sales.

Adopting a Data Mindset

Data is constantly changing, and a continuous monitoring regime is the only way to keep track as it waxes and wanes. A simple way to keep up with the health of your data as it changes is to set up dashboards and alerts that track data quality automatically.

[ymal]

That said, it’s not just about technology. There’s no getting away from it – a comprehensive cross-functional approach is needed to implement a successful data governance programme. For finance firms, team members must be subject matter experts who understand the complex industry standards and regulations and know what to do if they don’t. Many finance organisations will already have an executive level representative responsible for company-wide data management, such as Chief Data Officer (CDO).

A core aspect of a CDO’s responsibilities should be simplifying processes with the help of the right technologies. However, it’s unlikely there’s a single tool that will do everything a financial organisation needs, and every governance strategy should be bespoke for the organisation that will follow it. Companies should be aiming for a “data quality by design” mindset, where the checks and processes that ensure top-quality data is maintained become second nature.

Andria Evripidou, Policy Lead at Yapily, shares her thoughts with Finance Monthly on the state of finance in Europe and its opportunities for improvement.

Fragmentation has been one of the biggest obstacles to growth in the European Open Banking ecosystem to date. Even within the Berlin Group, there are differences in how banks communicate with technology companies and how they connect with APIs.

Because of this disparity, Europe has been slower to adopt Open Banking than the UK and other countries around the world. There were 178 firms in the UK permitted to share bank account and payment information with third party providers (TPPs) in 2020, but only 36 in Germany, 18 in France, 9 in Spain and 6 in Italy.

There is a real opportunity here to consolidate the market and deliver more value-add financial services with the promise of Open Finance. Promoting innovation and creating a level playing field for all payments and data companies, while giving consumers greater visibility over their data and enhancing their financial wellbeing.

Open Banking is the first mile in the Open Finance marathon, and Europe’s regulators are starting to make their next moves towards crossing the finish line.

Catch me if EU can

There are a number of different factors that have contributed towards the fragmented Open Banking landscape we see across Europe today. In some countries, like the Netherlands, consumers have deep-rooted trust in their banks but a distrust in cards. As such, iDeal, an eCommerce payment system initiative driven by Dutch banks, was quickly adopted when it launched in 2005.

In comparison, the level of enforcement by National Competent Authorities (NCAs) of PSD2 requirements was patchy in places. Which in turn created a fragmented approach to PSD2’s implementation across central Europe. And so led to mixed uptake in adoption.

There is a real opportunity here to consolidate the market and deliver more value-add financial services with the promise of Open Finance.

How developed a country’s financial ecosystem is has also played a role in Open Banking adoption. Eastern European countries, for example, that have more outdated financial products and infrastructure have been more receptive to innovation than countries with more advanced financial systems that already meet consumer needs.

The ingredients for Open Banking success

The maturity of the market is intrinsically linked to the adoption rate – adding another layer of complexity to the landscape. Those in the industry know and can see the potential of Open Banking and Open Finance. But wider consumers and businesses are still in need of educating on its benefits and security.

There are active discussions and working groups on how to move Open Banking adoption forward. To address the issue and catch up with the UK and other countries like Australia, the European Banking Authority (EBA) recently published its views on what NCAs should do to further adoption across the region. The aim was to ensure they remove any remaining obstacles that could prevent TPPs from accessing payment accounts or which restrict EU consumers’ choice of payment services.

This move has been well received. It is likely that, going forward, Open Banking integration within Member States will become easier. Over time, this move should make payments via Open Banking more prominent within the mainstream.

An open future for Open Finance

The natural evolution of Open Banking is Open Finance, which has the potential to completely change the way we look at our financial lives and bring about the fourth industrial revolution. Use cases are boundless, and the primary objective is enabling people to properly understand and then ‘optimise’ their overall financial position, ultimately leading to greater financial inclusion for all.

[ymal]

In an Open Finance era, consumers can get a better understanding of their investments using financial management applications that have a holistic view of an individual or business’ financial position in real-time. This will give consumers the ability to consider whether investments continue to meet their needs with access to up-to-date information on costs, tax treatment, performance, risk and other necessary factors.

The same consumer-centric approach that will see the rise of Open Banking across Europe will lay the road for Open Finance.

We have a lot to learn from the Open Banking experience to date to ensure the success of Open Finance. We also know that whichever shape the legislative framework ends up taking, Open Finance needs to be secure and easy to use, and that user journeys need to be properly considered ahead of any legislation design.

A lot more needs to be harmonised compared to the Open Banking experience. And without adequate supervision by NCAs, the implementation of directives is likely to be patchy and may hinder the uptake of Open Finance. But there’s no doubt that we will see the European Open Banking system consolidated in the coming years, giving way to the rise of Open Finance.

Kris Sharma, Finance Sector Lead at Canonical - the publisher of Ubuntu - offers Finance Monthly his thoughts on  APIs and how firms are already using them to enhance their services.

Cloud computing, big data analytics, artificial intelligence (AI), machine learning (ML), distributed ledger technology and process robotics are all playing a key role in reimagining financial services for a digital world. A growing number of financial institutions are drawing plans to adopt these technologies at scale as part of their digital transformation initiatives to accelerate financial data processing, deliver mass personalisation and increase operational efficiencies.

Most organisations currently deploy a complicated mix of technologies, legacy software platforms, applications, and processes to serve customers and business partners. On their digital journey, financial firms will have to integrate data, processes and business functionality from legacy systems of record to this set of new technologies. Many businesses have tried to adopt various transformation approaches such as re-platforming and re-hosting, direct integration between applications, rip and replace, and deploying middleware technology to deal with legacy systems and their integration with new technologies. But each of these approaches have their own drawbacks and can limit the adoption of new solutions within the constraints of legacy technology debt.

An evolutionary approach to digital finance, however, will unify information and data without the need to merge operational systems. Application programming interfaces, or APIs, can overcome the challenges involved with adopting new technologies and more innovative solutions while integrating with legacy run-the-business applications.

Where APIs become a core piece of the puzzle

APIs are increasingly playing a central role in digital finance. They essentially bind different parts of the financial value chain together, even though the underlying components may be based on different systems, technology, or supplied by different vendors. Using APIs, financial firms can securely share digital assets while masking backend complexity, integrating software applications and focusing on maximising their proprietary strengths by sharing data, systems, and functionality with customers, partners and developers. This in turn drives digital transformation without a complete overhaul of existing infrastructure.

Application programming interfaces, or APIs, can overcome the challenges involved with adopting new technologies and more innovative solutions while integrating with legacy run-the-business applications.

Since APIs are self-contained, they can be readily deployed and leveraged for innovation at speed, enabling financial institutions to introduce and integrate new features. When powered by the cloud, firms can develop, test and launch new services to customers quickly and cost-effectively, fuelling business growth. For example, insurance firms can make more timely offers by cross-selling home, auto and life policies. Financial institutions can leverage APIs to connect sources and use cloud computing to handle massive amounts of data, as well as AI and ML services live in the cloud, thereby analysing all this data faster and cheaper than they can on-premises.

Who is successfully using APIs?

Challenger bank Starling was designed and built completely on AWS cloud to deliver and scale infrastructure on demand. Additionally, by building a bank with open APIs from day one, Starling is natively compliant with the European Union’s Payment Services Directive (PSD2) directive.

According to ProgrammableWeb research, financial services is ranked highly in the fastest growing API categories, given the rise in digital forms of payment, an ever-increasing customer demand for connected solutions, and open banking initiatives. APIs are at the heart of the PSD2, the UK’s open banking mandate, as well as the Bank of Japan and the Monetary Authority of Singapore’s open banking initiatives.

Finastra’s Open Banking and collaboration: State of the nation survey 2020 finds that “86% of global banks surveyed are looking to use open APIs to enable Open Banking capabilities in the next 12 months”.

As APIs attract an ecosystem of developers, a financial API provider can encourage participation to fill go-to-market gaps and extend its services and data to new markets and use cases. Barclays is fostering collaboration and generation of new ideas through secure, innovative APIs. The Barclays API exchange has built an API library that is available for use by third parties to develop and test new products. Barclays and third-party developers work together to create, develop and test new product ideas before releasing them to the regular API catalogue. Similarly, Starling Bank provides a marketplace that enables developers to build their own products and integrations using its API.

[ymal]

Unleashing the potential

There is an opportunity for financial firms to leverage the power of APIs by bringing them together with digital technologies to broaden the possibilities for innovation and expand customer experiences. Financial institutions need to reimagine APIs as product offerings that will drive business expansion and increase revenues.

The future of digital finance will be driven by organisations building digital business models, redefining their API strategies and bringing new customer propositions to life using modern web architectures, best-in-class technologies and new ecosystems.

Paul Marcantonio, Executive Director for the UK & Western Europe at ECOMMPAY, offers Finance Monthly his predictions for open banking and the fintech sector in 2021.

The UK leads the charge in open banking; 2019 bore witness to a surge of growth in the country’s open banking ecosystem, when UK open banking hit one million users, regulated providers hit 204 and there were 1.25 billion API calls. It is evident that open banking has played a significant role in consolidating London’s place as a global leader in the fintech industry, comparable only to New York. With Brexit looming, there are many unknowns on the road ahead for UK businesses and their ability to deliver open banking services to the wider EU market after 31 December. Will open banking be affected by Brexit? And what is the outlook for the UK fintech sector in the new year?

The Brexit effect

Many companies are worried about maintaining the smooth digital experience that the modern consumer now prioritises post-Brexit. Looking ahead, UK businesses will lose their ‘passporting’ rights to do business across the EU, with organisations in the EU suffering similar barriers when seeking to operate in the UK. To overcome this barrier, many firms have created bases in the EU, while companies are also applying to the FCA for temporary permission to operate in the UK.

In order to minimise the disruption to open banking services post-Brexit, the FCA has said that third-party providers (TPPs) will be able to use an alternative to eIDAS certificates to access customer account information from account providers, or to initiate payments. eIDAS certificates of UK TPPs will be revoked when the transition period ends on 31 December. This means that TPPs have a compliant way to access customer information and ensures any changes as the UK leaves the EU will be smooth.

Businesses are having to audit their suppliers, as well as their payment service providers, to ensure they have all the necessary licenses to operate in the EU. Many companies are also building separate EU entities so that they can function in the EU under any Brexit agreement.

Many companies are worried about maintaining the smooth digital experience that the modern consumer now prioritises post-Brexit.

EU regulations

The role of open banking will only increase after Brexit, since the open banking agenda cannot be achieved by existing major banks. Open banking allows banking services to digitise so that consumers gain access to more choice than ever before, and extends the market to new entrants able to offer products and services that banking incumbents do not.

Furthermore, regulatory intervention serves to foster competition in the finance industry and is evidently necessary. The EU Payment Services Directive 2 (PSD2) was brought in during September 2018, and brought open banking requirements in across the EU, going further than the Retail Markets Investigation Order 2017 (CMA Order) in the UK which mandated that the biggest banks provide customers with the ability to share data with authorised APIs. The CMA Order revealed how regulation can motivate banks to modernise their services, but PSD2 gives consumers more choice and protection in opening up payments to third parties so they can access a variety of options when deciding how to pay and with whom to share their data.

Consequently, PSD2 will be a crucial mechanism for the UK financial services industry in order to remain competitive in Europe and across the world. The UK will therefore need to ensure it complies with EU regulations if it is to cement its position as a leader in open banking and continue to let the sector thrive. This means the UK is likely to align with EU regulation where it meets the needs of its own internal market, and is predicted to use regulation as a blueprint for its own but adjusted to meet its separate needs.

The road ahead for UK open banking  

Regardless of the nature of the UK’s relationship with the EU, many experts suggest the UK open banking standard is broader than the EU’s PSD2, and therefore has potential to be utilised as a blueprint for other countries worldwide. Although the route forward for open banking is not clear, what is evident is that open banking technology will carry on driving innovation and competition within the financial services industry, with the consumer able to access more convenience and choice.

[ymal]

The UK will make routes to economic growth a priority, which means open banking must play a major part in this. After the UK agrees technical standards and governance, open banking can present a competitive advantage via open APIs and enable the fintech sector to benefit from sustained growth into 2021 and onwards.

Learnings for businesses 

The modern consumer wants efficiency, with services and products on demand. As such, open banking must be looked to when seeking to cater to the consumer. For example, cross-border payments, innovation around APIs, and automation, are all enabling companies to simplify complex payment processes, and make the experience quicker and easier, as well as allowing for easy scaling.

Payment solutions such as ECOMMPAY’s utilise open banking technology to enable consumers to initiate payments to merchants without the need for debit or credit card transactions, and are crucial in expediting efficient payments within and across borders, customised according to localised requirements.

Brexit has been on the horizon for several years now, allowing businesses time to establish contingency plans. As long as companies have invested wisely in their payment infrastructure, they will be in a good place to ensure sustainable growth for years to come.

In the world of payments, there are important changes on the near horizon which have been anticipated for some time, namely the implementation of the second Payment Services Directive. PSD2 is focused on initiatives to make payments safer, increase consumer protection, and foster innovation and competition.

The next tranche of the PSD2 legislation brings with it the introduction of Strong Customer Authentication (SCA). The SCA requirements came into force in September 2019, however the EU Commission and the European Banking Authority subsequently stated that national regulators should not actively enforce the regulation until 31^st December 2020 for e-commerce.

In practical terms, in the UK and across Europe, SCA will mean additional security authentications for certain online transactions, a process designed to add an extra layer of fraud protection when cardholders make an electronic payment.

This means that in order for a card issuer to approve the transaction, a cardholder provides two of the following three independent sources of identity verification: something you know (e.g. PIN or password); something you have (e.g. a mobile device); or something you are (e.g. fingerprint or facial recognition).

With online transactions a large part of many businesses’ operations, it’s vital that they make the most of the technology at our disposal to smoothly integrate 3DS and, as a result, minimise the disruption to the checkout process without compromising customer security.

Despite this having already come into law, with a 2020 effective date, many e-commerce merchants are yet to begin taking the necessary steps to ensure they are suitably prepared for SCA. Payment providers, such as card issuers and acquirers, are subject to the new rules, so if merchants don’t act soon, they risk issuers declining the transactions, which could lead to a loss of revenue as well as cardholder dissatisfaction. And, while in the UK, the Financial Conduct Authority has confirmed a revised enforcement date of 14^th September 2021, other regulators are requiring the industry to begin ramping up SCA now. It, therefore, is imperative for merchants to take immediate action to be ready for the implementation of the SCA requirements.

Fortunately, there is a global industry standard - EMV® 3-D Secure (3DS) - to give merchants the ability to undertake SCA integration for all major payment providers at once. This is key in helping to make implementation as seamless as possible and, in practice, will mean merchants will require minimal additional time and resources for implementation.

With online transactions a large part of many businesses’ operations, it’s vital that they make the most of the technology at our disposal to smoothly integrate 3DS and, as a result, minimise the disruption to the checkout process without compromising customer security. 3DS technology also offers data insights on the purchasing journey, allowing issuers to make smarter, more sophisticated risk decisions which helps to reduce friction while protecting against fraud. To create a more seamless experience for consumers and merchants alike, ‘whitelisting’ features also allow consumers to select merchants to be marked as ‘trusted’, and thus exempted from the requirements of SCA whilst managing fraud detection and protection.

We know that every purchase is an important one for merchants, and we have designed our technology to support a safe and smooth transaction environment. There are clear actions merchants can take now to have an SCA solution in place before their country compliance date, so they can continue to offer an efficient and secure checkout experience for their customers.

American Express recently launched SafeKey 2.2 - a security solution that leverages the global industry standard. For more information about SafeKey, please visit www.amexsafekey.com. For more information about Express List, the American Express trusted beneficiary tool, please visit www.americanexpress.com/uk/security/safekey.

Jan van Vonno, Research Director at Tink, looks more deeply into the trends currently altering Europe's financial sector.

Convenience and ease have become the new normal for consumers and the demand for better, more personalised digital experiences in the financial industry has skyrocketed. Thanks to PSD2 and the UK's Retail Banking Market Investigation Order, Europe has been leading the way with its open banking initiatives — representing the beginning of a journey to democratise money management, empowering everyone to access the right products and services to meet their financial needs.

Over the last few months, Tink has been reporting on the attitudes and sentiment of Europe’s financial institutions towards open banking, with our research revealing that 61% of financial executives feel more positive towards open banking than last year.

This is extremely encouraging — particularly considering the current climate we find ourselves in. With COVID-19 accelerating the shift toward digital channels, we expect this positivity to continue to grow as more financial institutions concentrate on the digital transformation of products and services.

However, our research also revealed that 46% of financial executives aren’t confident that the benefits of open banking are widely understood within their organisations. So clearly the industry has more work to do. To reap the full rewards of open banking, it’s essential for financial institutions to remain nimble, open-minded and strategic in their approach. Here are three things they can focus on.

Thanks to PSD2 and the UK's Retail Banking Market Investigation Order, Europe has been leading the way with its open banking initiatives.

Create a clear open banking strategy

Adoption of open banking starts with the belief that it will create value. Once financial institutions embrace this, the next step is to implement a clear and detailed open banking strategy which can be translated into concrete business objectives.

To do this, they need to embrace change — educating people at all levels of their organisation on the benefits of open banking and incorporating it into the product, service and technology roadmaps of their business. Thankfully, 59% of respondents indicate that they already have a clear strategy in place, while 58% view open banking as an opportunity.

It is important that financial institutions also look to embrace the role of a TPP — consuming APIs to enhance their current products and operations and leveraging the available data to improve customer acquisition, accelerate onboarding, increase conversion, lower risk, and improve customer satisfaction rates. A great example of a company that is doing just this, is Nordea — who are going beyond PSD2 and aggregating all their data (e.g. investment, savings etc). In addition to this, they have successfully created a business-to-developer (B2D) open banking strategy to produce APIs and create better solutions for their customers.

It’s important to note that while some financial institutions approach open banking as a long-term strategic play, there are also a growing number who see the opportunity for short-term, quick-win value creation. There is no right or wrong way to approach this as both offer their own rewards. Ultimately, the most likely scenario is that financial institutions’ open banking journeys will begin with more elementary open banking use cases, eventually evolving into more sophisticated use cases over time.

[ymal]

Allocate budget (no matter how large) wisely

While the positive shift in attitudes is a solid indication of the importance of open banking, it doesn’t fully reflect the significance of the movement. The real proof is in increasing budgets that are being invested in open banking initiatives across Europe as the industry mindset moves from compliance to value creation. According to our data, open banking investment budgets for European financial institutions are typically between €50-€100 million, with 63% saying open banking budgets have grown since last year, with annual spending rising by between 20%-29%.

Of course, not all financial institution decision-makers have access to this level of budget. The key here is to focus on the low-hanging fruit and taking advantage of open banking by operating as a TPP. In doing so, executives can experiment with elementary use cases with clear outcomes before proceeding on to more advanced and exploratory use cases. In addition to this, creating an open banking scorecard can help measure the impact of investments and set clear parameters that help to navigate the open banking journey.

While the positive shift in attitudes is a solid indication of the importance of open banking, it doesn’t fully reflect the significance of the movement.

Forge fintech partnerships

What became clear through our research is that the general confidence in open banking isn’t purely reflected by the understanding of the opportunity it offers, the strategy, or the sum of investments. It’s also indicated by the number of partnerships that financial institutions have formed with fintechs to help accelerate innovation and realise their objectives. 69% have increased their number of fintech partnerships in 2019, while the majority of executives are also working with more than one partner.

Such partnerships are invaluable, as they can provide financial institutions with the technology, expertise and vision to drive open banking value creation — creating both short and long term value for financial institutions and, in turn, for their customers. One thing to keep in mind, however, is that in order for partnerships to truly work, fintechs must be able to navigate the complicated procurement process and onboarding requirements that many larger banks have in place.

What it boils down to, is this: 2020 will be the year of value creation as the industry starts accepting there is considerable money to be made in open banking. The winners will be the banks that place a relentless focus on building clear strategies, using existing budgets wisely and prioritising fintech partnerships. This, in turn, will lead to a host of new use cases springing up across the customer journey — with institutions leveraging open banking data to improve customer acquisition, accelerate onboarding, increase conversion, lower risk, and improve customer satisfaction rates.

A huge opportunity lies ahead; the benefits of open banking are now ripe for the picking.

More and more consumers value the convenience of online banking and payment platforms, which are now used by over two-thirds of British adults – with 48% using mobile banking. However, this has caused fraud to skyrocket – in 2019 one in five UK adults were impacted by online card fraud – calling for financial services institutions to seriously re-evaluate current identity verification methods.

Jason Tooley, Chief Revenue Officer at Veridium, highlights that the huge growth in digital services means a re-definition of strong authentication is crucial. This should focus on mobile possession, multi-modal biometrics, combined with innovation including behavioural and location intelligence.

Jason Tooley comments: “A failure to implement Strong Customer Authentication demonstrates a disregard for consumer protection. The ever-rising fraud levels are linked to the consumer preference of mobile e-commerce, and regulation must keep pace. Now that businesses have had an extended period of six months, in addition to the two years since the initial announcement, there is no excuse to not be compliant. Strong Customer Authentication should have been prioritised long ago and viewed as a business differentiator.”

Jason continues: “Whilst it is true that consumers will see minor changes to their day-to-day user experience, the additional layer of security on payments will enable consumers to benefit from safer and more innovative electronic payment services. Strong Customer Authentication will mean consumers are more confident when making payments – not act as an inhibitor as some have incorrectly suggested.”

Jason continues: “This regulation has meant financial institutions are now under pressure to implement the latest identity verification technologies to protect the abundance of sensitive customer data, whilst delivering a seamless user experience. In our increasingly digitalised world, and with the explosion in cybercrime, identity theft and fraud, online payments must look to set a standard that meets the expectations of the consumer.”

Jason concludes: “If banks are to meet the deadline in one month’s time, they should be turning to technologies in the market which have the potential to alleviate the challenges posed by the regulation. Multi factor authentication solutions can facilitate financial services institutions to enhance consumer confidence and create a secure experience, whilst ensuring the customer has a frictionless user journey. Basing the digital authentication process on combining the customer’s own technology with an open biometric approach and true step-up intelligence, will allow financial institutions to meet the regulatory requirements before it’s too late.”

Compliance is a must-do activity, not a nice-to-have. According to Colin Bristow, Customer Advisory Manager at SAS, it is essential that companies extract maximum value from compliance processes, reducing the possibility of it being considered a cost centre.

Technological innovation can help to lift some of the compliance burden. The level of technology you can realistically implement depends on how advanced the organisation is to start with. One company’s moonshot could be another’s business as usual. Assessing the starting point is just as important as considering the benefits and end goal.

RegTech, AI and the future of compliance

This is the question that the burgeoning RegTech (regulatory technology) industry is seeking to answer. AI is typically at the forefront. RegTech partly focuses on improving the efficiency and effectiveness of existing processes. As part of that improvement, organizations are using AI, machine learning and robotic process automation (RPA) to smooth the integration and processes between new RegTech solutions, existing legacy compliance solutions and legacy platforms.

Why look to AI for help? Recent regulations, such as GDPR or PSD2, are handed down in the form of large and extremely dense documentation (the UK government’s guidance document for GDPR alone is 201 pages). Identifying the appropriate actions mandated by these lengthy documents requires a great deal of cross-referencing, prior knowledge of historical organisational actions, and knowledge of the relevant organisational systems and processes. What’s more, several regulations attract fines or corrective actions if not applied properly (like the infamous "4% of company turnover" penalty attached to GDPR).

In short, the practical application of regulations currently relies on human interpretation and subsequent deployment of a solution, with heavy penalties for noncompliance. This is where AI can help, reducing the workload involved and improving accuracy. Here are three key examples of how AI can help companies turn compliance into a value-added activity.

1) Reducing the risk of nonconformity

Following the deployment of compliance processes, there is often residual risk. This can be as a result of unforseen gaps in compliance processes, or unexpected occurrences that become apparent when operating at scale.

That’s partly because there are usually a lot of steps and processes to be carried out during the data collation stage of compliance programmes. RPA can help reduce administrative load associated with these processes that include a high degree of repetition – for example, copying data from one system to another. AI can then help process cross-organisational documentation, combining internal and external sources and appropriately matching where necessary.

AI can also help to reduce companies’ risk of noncompliance with, for example, privacy regulations. Furthermore, using AI techniques, organisations can automate transforming and enhancing data. Intelligent automation allows companies to carry out processes with a higher degree of accuracy.

2) Improving process efficiency

Inefficient processes can also hinder compliance. For example, automated systems that detect suspicious transactions for anti-money laundering (AML) processes are sometimes not always as accurate as they could be. A recent report highlighted that 95% of flagged transactions are closed in the first stage of review. Effectively, investigators spend most of their day looking at poor quality cases.

Use of an AI hybrid approach to detection ensures there are fewer, higher quality alerts produced. Furthermore, it is possible to risk-rank cases which are flagged for investigation, speeding up the interaction and relegating lower-risk transactions. Although AI forms an underlying principle across most modern detection systems, maintenance is key to managing effective performance.

AI can also be used to bolster AML and fraud measures more widely. For example, applying AI to techniques such as text mining, anomaly detection and advanced analytics can improve trade finance monitoring. This, in turn, can improve the regularity for document review and consignment checking, improving the validation rates of materials as they cross borders.

[ymal]

3) Keeping up with regulatory changes

Compliance never stands still. Businesses have to contend with a constantly evolving landscape, potentially across several regions. AI can help to optimise the processing of these regulations and the actions they require, helping companies keep up to date. Companies that need to effectively comply with several differing regulations require a wide range of understanding across all parts of the business. The size, complexity and legacy systems of the business can be significant obstacles.

To mitigate this risk, companies can use natural language processing (NLP) to automate aspects of regulatory review, identifying appropriate changes contained in the regulation and then relaying potential impacts to the appropriate departments. For example, AI could help geographically diverse companies determine whether changes in the UK have an impact on their Singapore office.

Humans still needed

It’s important to note at this point that AI and RegTech are not expected to widely replace humans. We are seeing early AI entries in the RegTech space, but they’re primarily helping with lower-hanging fruit and repetitive tasks. AI is primarily enhancing the work humans do, making them more effective in their roles.

AI does not come without some considerations, however. There is a great deal of focus and scrutiny on associated possible bias in AI deployments. Other discussions are exploring the transparency and governance of applications and questions around who owns generated IP. As a result, it’s essential that AI works closely with humans, enhancing activities and balancing an appropriate level of manual oversight.

AI is augmenting compliance practices by providing faster document review, deeper fraud prevention measures and greater contextual insight. It is also reducing noise in high-transaction environments and lightening the documentary burden on staff. From the start of the regulatory review to the end of the compliance process, AI holds part of the overall solution to a more efficient and valuable compliance function.

Below Marcin Nadolny, Head of Regional Fraud & Security Practice at SAS, explains more on the date push back and what this will mean for banks moving forward.

UK companies must be able to demonstrate that they are moving towards compliance from September 2019, but no enforcement action will be taken for 18 months. For the rest of the EU in general, the timeline is unchanged. However, national competent authorities have the flexibility to provide limited additional time to become PSD2 compliant (see the recent EBA opinion).

The big picture

But whichever country you’re in, it’s essential that companies recognise the urgency at play. In the new digital world, payment security is absolutely essential. The question now is not whether PSD2 compliance should remain at the top of the priority list. It’s how quickly companies can realistically achieve it. In a nutshell, PSD2 simultaneously massively increases the amount of financial data moving into banks’ systems while also making it mandatory that they run fraud controls on that data in real time.

As PSD2 ushers in the age of open APIs in finance, the traffic volume that payment processors will have to handle will be enormous. Consumers’ personally identifiable data will be at heightened risk, and we will observe increased malware attacks and data breaches via the newly created attack vectors. If businesses aren’t prepared for the change, it’ll be a fraudster’s paradise.

Is your organisation ready to cope with this new heavy traffic and identify fraudulent activities? It might be like finding a needle in a haystack. Fortunately, AI is coming to the rescue. Emerging technologies, such as predictive models, network analytics and anomaly detection, all have the power to increase your efficiency in finding and fighting fraud.

[ymal]

Real-time fraud detection

PSD2 is more than just a regulation. It’s the start of a major transformation for the payments industry. With the move to digital-first, open models, there’s an increased need to operate processes in real time – providing instant payments, for example – and that means that fraud prevention will need to move at the same speed.

Adequate anti-fraud protection is required by the regulation. Banks are expected to fill out certain tests as a fraud assessment, including reviewing behavioural profiles, checking known compromised devices and IDs, applying known fraud scenarios to transactions, and detecting malware signs. Analytics can help speed up detection, find suspicious behaviours and collate data points by ingesting new data sources. This builds a picture of "normal" behaviour against which banks can measure transactions.

At present, not all banks are applying all these anti-fraud measures. Some base their protection on simple rules and aren’t able to detect fraud in real time or stop transactions in progress. These abilities aren’t technically required by the regulator until PSD2 comes into effect. Real-time fraud prevention used to be a luxury – but now it’s a must-have. Banks must take the initiative to ensure they can detect fraud in process in incredibly short time frames.

Third parties enter the market

The other major change included in PSD2 is the arrival of third-party providers in the market. These nonfinancial companies, including GAFA (Google, Amazon, Facebook and Apple), e-tailers and fintechs, will be able to work as payment processors going between customers and banks. This means the banks have a much bigger traffic volume to handle and review for fraud. Legacy systems and processes simply can’t handle it.

In order to cope, banks need to have systems in place that are able to assess for fraud at huge volumes and in real time. Not only that, but transactions from third parties might come with limited contextual information. So, banks will have to enrich them with additional data on variables including digital identity, reputation and past behaviour.

AI applications will be essential to handle that ongoing enrichment at speed. Humans alone simply can’t process that level of information. So, it’s essential that banks invest in AI to augment the skills they have and lighten the load of compliance.

Managing the risk

The risk to banks posed by these growing data streams is not just in terms of payment fraud. There is also a heightened cybersecurity risk. New data flows and new payment systems present possible system back doors and new attack vectors that hackers will be quick to discover. By attacking third party infrastructure, malicious actors will be able to gain access to consumers’ personal data.

Addressing this problem is not the sole responsibility of the banks. But it highlights the level of risk associated with the increase in data volume and connectedness. Reputational damage and heavy fines are a very real possibility for institutions that don’t get their act together in time.

Compliance will require many changes to anti-fraud and customer identification processes. The technology required to handle this additional burden is out there. Banks must invest wisely and ensure they are fully equipped, whether next month or by 2021.

What does SCA mean for consumers?

According to a survey by Avira, 30% of consumers worry whilst shopping online, and 22% only use well-known e-commerce sites in fear of being a target of bad actors. That added layer of security on online payments will enable these consumers to feel more confident when processing payments over £28 online, as the authentication checks i.e. biometrics such as fingerprint or facial recognition are far more secure. Indeed, consumers will benefit in a variety of ways from the enforcement of SCA: purchasing processes will become easier, there will be more choice of financial providers (and consequently methods of payment) and there will ultimately be a reduced risk of fraud.

There will be an extra step in the payment checkout process, where customers will have to use biometric authentication or codes to approve the payment, but this should be a seamless experience and not deter consumers from shopping online. According to a recent survey, 48% of consumers have already authenticated a payment using biometrics; and 61% believe using biometrics is a much quicker and more efficient way of paying for goods or services than traditional payment methods using only passwords[1].

SCA deadline extension

In an increasingly digital age and with the high rates of cybercrime and identity fraud, financial institutions and payment providers need to apply these regulatory rules in order to provide the highest level of security for their customers. According to Action Fraud, £34.6m was stolen from innocent victims between April and September in 2018, a 24% increase on the previous six months[2]. Despite reports that more than £190,000 a day is lost in the UK by victims of cyber-crime, the Financial Conduct Authority, a financial regulatory body in the UK, has granted an 18-month long extension for the enforcement of SCA[3]. The Financial Supervision Authority (FSA), the authority for overseeing banking and payment services in Poland has also followed suit and confirmed on the 19^th August that they will delay the enforcement of SCA.

According to a recent survey, 48% of consumers have already authenticated a payment using biometrics; and 61% believe using biometrics is a much quicker and more efficient way of paying for goods or services than traditional payment methods using only passwords .

The new SCA rules have faced opposition from an industry which is seen to not be ready for the new digital era; new research from Stripe reported that just half of 500 businesses surveyed expect to be already compliant[4]. The delay from the financial services community in providing a more secure payment service for their customers is disappointing and worrying considering the increasing numbers of cyber-attacks each year. The financial institutions and payment service providers who have had nearly two years to prepare since the initial announcement, have unfortunately not put the safety of their customers at the heart of their operations – and there is no excuse.

Moving forward 

New and advanced technologies in the market have the potential to reduce the challenges posed by the new SCA enforcement. Basing the online authentication process on combining the customer’s own smartphone with an open biometric approach, will allow financial institutions to offer a low friction payment experience while meeting the new regulatory requirements – as it is far more secure than passwords or codes alone.

Indeed, financial institutions and payment service providers need to integrate new technologies into their customer services and move to a passwordless society. Passwords are easily compromised; it comes as no surprise that 81% of reported data breaches last year were due to poor passwords such as 1234[5]. There are easily incorporated multi-factor authentication solutions that rely on consumers’ digital devices, and more secure forms of biometric authentication, which will eventually render passwords obsolete.

[1] https://info.veridiumid.com/biometric-recognition-systems

[2] https://www.bbc.co.uk/news/uk-47016671

[3] https://www.fca.org.uk/news/press-releases/fca-agrees-plan-phased-implementation-strong-customer-authentication

[4] https://stripe.com/gb/newsroom/news/sca-impact-study

[5] https://www.tracesecurity.com/blog/articles/81-of-company-data-breaches-due-to-poor-passwords