Strong Authentication in Open Banking and PSD2: two sides of the same coin?

Security

Strong Authentication in Open Banking and PSD2: two sides of the same coin?

Listening to payment experts today, it would be easy to think that Open Banking has elbowed out PSD2. Companies providing services for Open Banking are popping up like weeds. Many events are themed around Open Banking. And the focus is on trust and security. Does this mean Open Banking is the next hot topic for authentication providers? 

The underlying question is whether Open Banking and PSD2 are fundamentally different or extensions of the same ideas. It’s important to understand the core difference between the two: PSD2 is a regulation that applies to all payment account providers in the European Union, while Open Banking is a mandatory ruling to the large banks in the UK and applicable to current accounts only. 

PSD2 and Open Banking both introduced third party access to banking accounts and made new payment initiation services possible. But while Open Banking demands standardised pre-defined APIs (Application Programming Interface), PSD2 leaves the standardisation up to the market players.

One might say: PSD2 is the framework regulating initiatives like Open Banking—but Open Banking can exist without PSD2. 

So what does this mean for authentication? PSD2 has created a whole new market of authentication solutions, as it defines what authentication is acceptable and secure, and when it is needed through its introduction of Strong Customer Authentication (SCA) as a standard. SCA describes the validity of knowledge, possession, and inherence factors, and the exemptions when SCA can be waived. This creates a new market, where new technologies and services drive innovations.

Open Banking, however, does not focus on the safety and security of consumers’ banking activity. Its goal is to break down competition barriers. Put it boldly: Open Banking doesn’t care about authentication. 

In that case, how can the bank trust the action request from a fintech? How can the fintech prove that the request to a bank is genuine? And how can the bank know that the rightful account owner triggered the request?

All perfectly logical questions—and all questions keeping the compliance and risk manager of the bank up at night. Probably also on the Marketing team too. After all, as a fintech, you need to convince your consumers that you can be trusted and will protect them against fraud. According to a global survey from Mambu, 48% of consumers claim they are ‘scared’ of open banking, and 53% still believe that it is a dangerous use of data sharing.

Encap SCA brings confidence to all parties involved

Here PSD2 comes to the rescue. The PSD2 framework writes the rules for trust between banks, consumers and fintechs. To establish trust and exchange data between parties, SCA is needed and available. Adding SCA to the equation ensures that the consumer is initiating the request—and because SCA is well defined by PSD2 and understood by all parties, banks can trust that the fintech checked the boxes. 

Encap SCA, a proven, banking-grade authentication solution since 2006, supports business cases initiated by the Open Banking and PSD2 ecosystem. Encap SCA verifies consumer consent for access to accounts (X2A) and protects transactions using SCA and dynamic linking. Third-party mobile apps using Encap SCA will provide a trusted authentication method to consumers, banks and fintechs. Encap SCA brings confidence to all parties involved. And there is more. Another initiative made possible by PSD2 is 3DS Delegated Authentication. 3DS Delegated Authentication offers consumers a seamless journey, and payment Initiators have new commercial possibilities—all made possible with Encap SCA.

Written by
Wido Beekman