Open Banking and PSD2 – Making Customers Safer and Happier
The introduction of Open Banking in the UK will transform banking as we know it. It is closely related to developments in other European countries which are anticipating the implementation of the upcoming European Union Payments Services Directive 2 (PSD2). The two regulations require that banks operating across the UK and EU expose standard open application programming interfaces (APIs) that enable their customers to securely share their account data with other banks and third-party providers (TPPs) once they’ve given their explicit consent. A novel approach is required to ensure security and fraud controls remain within risk appetite whilst ensuring fast, reliable service to customers. This approach will require an architecture which integrates data sources from various parts of the bank, specialized analytical tools, and teams enriched by experts who know the evolving threats and can take an agile approach at wielding innovative technologies.
PSD2 and Open Banking – Is an Introduction Needed?
By this point in time, every financial institution, consultant and software vendor operating in the European region has heard about the UK Open Banking initiative and the European Union’s Revised Payment Services Directive (PSD2). The common objective for both regulations is increasing competition in the banking and payments industry, by mandating that banks need to open Application Programming Interfaces (API) that allow 3rd party companies to access the data of their customers, and to perform payment instructions. The regulations aim to set robust standards of security and risk management, thus creating a safe and secure environment for consumers.
The Open Banking Standard
The Open Banking Standard is a part of a wider package of remedies set out by the UK Competition and Markets Authority (CMA) aimed at reforming the UK retail banking market. It is designed with similar considerations in mind as PSD2 – increasing competition and security by introducing third party providers in a controlled and secure way. HM Treasury has requested the Open Data Institute to develop a standard for the usage of data in banking ensuring privacy and security, and this standard was endorsed by the CMA.
The regulation requires that banks operating across the UK expose standard open application programming interfaces (APIs) that enable their customers to securely share their account data with other banks and third-party providers (TPPs) once they’ve given their explicit consent. UK banks are required to implement the Open Banking Standard starting January 2018, which is aligned with the upcoming PSD2 legislation. However, the Final Order released by the CMA on February 2nd, 2017, mandates the first stage of the Open Banking read-only data release in March 2017 and a maximum monthly charge on unarranged overdrafts coming into force in August 2017. Those are expected to be ‘silent releases’, meaning the banks would expose the information as required but not launch major publicity or education campaigns to bolster adoption – this is expected to happen later down the line or in 2018 once the implementation of PSD2 and full-scale open banking is underway
Crucially, timelines are not entirely fixed, although there seems to be a convergence around January 2018 as a critical milestone. For UK financial institutions, the transition is mandatory before 2018, as some elements of the Open Banking mandate must be implemented by March 2018. However, at present time, the EC has not formally endorsed the draft RTS, and the UK community is actively engaged in discussions around implementation timelines and constraints. Assuming EC endorsement happens in September 2017, the final date to implement the RTS will be February 2019.
Access to Accounts (XS2A) and Fraud Prevention
At the heart of both PSD2 and the Open Banking mandate is the ability granted to non-bank software companies (Third Party Providers, TPPs) to access accounts and customer data, that so far have been safeguarded by banks’ security and fraud controls. The fundamental change in the banking model mandated by the Open Banking regulations reflects a shift to a new paradigm dubbed ‘Access to Accounts’ (XS2A). Whereas previously consumers could access their accounts and information only through their online banking portal and an app created and controlled by the bank, the regulator now mandates that other providers could obtain a license to access the same data. Fig 2 below depicts the change and the principal areas of focus from a fraud prevention perspective:
PSD2 and Open Banking introduce an important liability burden on banks as Account Services Payment Services Providers (AS PSP). In the event of an unauthorized payment initiated via by a TPP, the AS PSP is required to refund the customer immediately. There is an obligation on the TPP to immediately compensate the AS PSP where the former is liable, unless the TPP can prove that within its sphere of competence, the payment was authenticated.
Banks implementing APIs and opening their infrastructure to TPPs under PSD2 / Open Banking face a new range of risks, requiring enhanced monitoring and new operational capabilities. Examples include:
- Open API and multiple channels of access to accounts provider a wider ‘surface area’ for fraud attacks.
- Many customers may no longer log on to the bank’s digital banking website at all, reducing the amount of relevant data available to fraud detection tools.
- Under PSD2, banks can block third-party access to accounts if they have the evidence that the activity is unauthorized or fraudulent. This is a capability that will need to be operational for the bank to wield easily once PSD2 comes in.
Reconsidering Fraud Strategy
Providing a secure infrastructure to TPPs will be a major challenge for banks. To prevent fraud in real time, most banks use packaged software whose fraud scoring models are trained over a period of 18 to 24 months. Using similar software tools, once new transactions are introduced through TPPs, it will take around two years for the banks to generate scores reflecting the transaction risk. An innovative technology approach is required to mitigate the increased fraud risk in time.
As banks evaluate their current fraud controls, it emerges that any software solution deployed by banks prior to PSD2 / Open Banking should be regarded as not fit for purpose, and revised and prioritized for an enhancement, upgrade or replacement.
Cost Optimization Strategies for Fraud Prevention
The Cost of Compliance is becoming more important as banks undergo fundamental IT transformations as part of a drive toward readiness to PSD2 and Open Banking. Financial institutions wish to control the cost of transitioning to an improved Fraud prevention capability, and the reduce the overhead of maintaining and constantly improving risk controls in view of spiraling security and fraud threats. At Matrix International Financial Services, our experience in planning and delivering hundreds of Financial Crime and Fraud prevention projects, based on market-leading vendor solutions, enables us to suggest several strategies for financial institutions to benefit from the Open Banking revolution, while maintaining costs at acceptable levels. Our analysis shows that combining the below methods can result in a reduction of up to 90% of the Total Cost of Ownership in a Financial Crime prevention environment.
1. Creating a Data-Centric Financial Crime Architecture
2. Enhancing Fraud Prevention with Machine Learning
3. Automating Manual Processes
4. Leveraging Agile Distributed Expert Teams
1. Creating a Data-Centric Architecture
Traditionally, human-generated rule sets were the most prevalent approach in fraud management and continue to be in practice today. But the advancement in computing power and availability of big data over the last 5 years has put data in the center of how businesses identify and prevent fraud. As businesses continue to evolve and migrate to the Internet and as modern money is transacted electronically in an ever-growing cashless banking economy, commerce is increasingly becoming the business of big data science. Fortunately, this rapidly expanding universe of available data also enables modern fraud prevention methods such as artificial intelligence, making big data an inextricable component of today’s fraud management. To detect sophisticated and unknown risks, such as emerging fraud threats in an Open Banking world, a novel approach is required: our experience shows that the most meaningful anomalies hide in the rich, hyper-dimensional data, and in the intricate links inside multi-source data. This data should take a central position in any strategy that seeks to harness the benefits of Open Banking.
The importance of creating a data-centric architecture is also in maximizing customer experience. Online-centric customer experience is all about removing friction from the payment process. With the introduction of PSD2 requirements on SCA, consumers and merchants will look for payment service providers who can help them offer Risk-Based Authentication (RBA) and avoid imposing SCA on good customers. That means that to stay competitive and attract commercial and private customers, financial institutions will require a fraud detection and transaction monitoring architecture that can leverage enormous amounts of data in a cost-efficient way.
A technology strategy that seeks to achieve a Data-Centric Architecture has two key components: Data Acquisition and Analytics Tool-sets. Underpinning this is a need for a dedicated Financial Crime data source (Data Warehouse or Data Lake).
By utilizing open-source technologies and existing vendor relationships, banks can reduce the costs of creating a Data-Centric Architecture. Once created, such an architecture will increase the bank’s competitiveness as a fast and secure provider of services. Furthermore, the data aggregated in the various data stores and the tooling developed can be re-purposed for achieving other revenue-generating goals, such as more targeted product offerings commensurate with a client’s monetary activity and risk profile.
2. Enhancing Fraud Prevention with Machine Learning
Machine Learning directly addresses many business challenges that are time-consuming and expensive – For Example: manual reviews and false positives alone account for almost 40% of the total cost of fraud prevention. According to LexisNexis “The True Cost of Fraud Prevention” study, businesses allocate as much as one-fourth of costs dedicated to fraud prevention to manual review. Furthermore, new customer channels (e.g., mobile, social), new products and business lines present new risk vectors – fraud through remote channels is up to 7 times as difficult to prevent as in-person fraud.
Common Enterprise Fraud prevention systems are known to require lengthy and expensive tuning cycles to achieve meaningful detection performance. It is possible to shorten tuning cycles and instantaneously to new fraud attack vectors, by running a Machine Learning (ML) solution in proximity to the data sources that are provided to the legacy Fraud system, such as relevant real-time feeds or DWH tables. The ML solution can receive the data in various standard formats such as CSV file transfer or REST API. In addition, the ML solution is equipped with an advanced data processing and data integrity module, further facilitating the processing of mass volumes of multi-source data and ensuring no lengthy and costly integration is required. The result of this analysis is then fed into the legacy fraud system and enhances its results.
3. Automating Manual Processes – Robotic Process Automation
Over the past decade, financial service firms have been tasked with addressing increased regulatory burden, while still working within the constraints of operational spending. Traditional firms have built large Financial Crime and Compliance operations that are continuously under pressure to cater for new regulations and threats. PSD2 and Open Banking will continue this trend, this exacerbating the need to reduce labor-intensive tasks as much as possible. Our analysis shows that a significant amount of time is spent gathering data and information from systems outside of Financial Crime investigation tools, for both the alert review and case review cycles. Typical manual processes include querying transaction systems, external data aggregators, internal fraud systems and in some instances capturing ‘screenshots’ and entering data into spreadsheets. Fraud Operations and investigation efficiency gains can be made by automating research activities through Robotic Process Automation (RPA). Automating the steps required to analyze information in external systems along with the process of gathering data to support a case will significantly improve investigator productivity by at least 50%.
4. Leveraging Agile Distributed Expert Teams
One of the biggest obstacles to making the most of innovative technologies such as Machine Learning is the cost of the human element. Data science knowledge, plus the amount of time and data needed to create models are beyond the reach of many risk teams. Data scientists who work in a fraud prevention environment, need to understand financial services and payments, fraud methods of operation, as well as many different data manipulation tools such as R, Weka, Python, DBMS, NoSQL data stores, Hadoop jobs, streaming systems and more. It is challenging to evolve profiles and models to reflect the ever-changing nature of business, e.g. some companies deploy 1-year old models that were trained using 2-year old data. Furthermore, increased capacity to process big data creates an inherent tendency towards including irrelevant data. Machines lack common sense so humans are still needed to supervise and filter the data. Attracting and retaining skilled employees to meet the frequent changes in compliance and financial crime risks remains a challenge for most financial institutions due to the highly competitive market for talent.
The process of authoring PSD2 and Open Banking standards has seen an extensive debate and even resistance from some banks. The gap between the current and target data infrastructures required to comply with the regulator’s expectations in a way that protects the banks’ business models and maintain customer safety and satisfaction, has led to some institutions focusing on what is ‘good enough’, rather than what good looks like.
While some institutions continue to resist the openness that the new regulations represent, frequently citing cyber security, fraud risks and customer data privacy as concerns, other institutions are speeding ahead by recognizing the opportunity and taking this dual head on.
The institutions that turn this dual threat into opportunities for digital transformation will out-compete the institutions that resist. The migration toward API’s, data-centric enterprise architecture, and the combination of machine learning, agile practices and process automation have started disrupting the financial industry even before Open Banking and PSD2 came into existence. Now, facing regulatory attention and encouragement, is the time to act for financial institutions wishing to benefit from new and reduced costs of fighting financial crime. Those reduced costs result from an increasing maturity of emerging technologies and the accumulation of domain expertise at consulting and delivery firms such as Matrix IFS.
Written by: Yair Samban, VP, Compliance and Fraud Services – EMEA, Matrix-IFS