PSD2 will not only bring more competition to the existing players but it is driving innovation through their core business models which could lead to reduced market share, rapid migration of user behaviours and an additional set of rules and regulatory frameworks to operate under, further increasing the cost of doing business.
Traceability is one of the key worries in how liability will be allocated in the event of customer data being compromised and tracing who is at fault in the ever-expanding layers of data controllers and processors operating in the open banking environment. With data being used across multiple platforms, one threat to fintech’s I how they can prove they do not have liability when customers experience identify theft, or their account details are miss-used. Hence the requirement in PDS2 for Professional Indemnity Insurance.
The principal of customers being able to choose from a wider selection of financial services, easily obtaining comprehensive aggregated data about the status of their accounts will surely mean better value, convenience and more transparent services for the customers.
There are threats to customers if Open Banking participants are not able to undertake Strong Customer Authentication (SCA) and Strong Customer Electronic Identification (SCeID). This could not only result in exposure to local regulation but if customer identity is not authenticated correctly, GDPR regulation and their significant penalties could come in to play. The opportunities; one identity, single log-in, one password = convenience!
When authentication is required, three factors will be applied: something the customer is, something the customer has and something the customer knows. There will be a radical shi away from physiological biometrics (such as face, iris, fingerprint) into the smart behavioural geo-positioning biometrics further strengthening and streamlining the identity authentication process.
Authenticating through out-of-band “smart channels” could mean authentication undertaken through a data stream independent from the main in-band data stream. An out-of-band authentication provides a conceptually independent channel, which allows any data sent via that mechanism to be kept separate from in-band data. If that authentication (as detailed in the previous question) was stateless; meaning once complete it would leave no trace it existed, this could prevent some of the vulnerabilities to the authentication process.
Companies like LiveEnsure that o er true user experience with mobile authentication for the crowd in the cloud, providing multiple factors of trust from a single API should be making the biggest change in this eld.