Last updated: 29 June 2017
You don’t need me to tell you that the Financial Services market is in the middle of a revolution and this is down to both technology and regulations. The European Commission’s revised Payment Service Directive (PSD2) represents a broad sweep of financial services sector regulations that will come into force next year. I recently spoke at the landmark event Money2020 Europe about how it impacts one key aspect of the industry; “security and online access” and wanted to share some thoughts here.
First, I would mention that of course regulation in this context is simply keeping up with the market need. We have seen a sharp rise in cyberattacks and breaches, and the financial services sector is a particularly hot target given the assets it holds – last year, our Breach Level Index captured over a billion records compromised worldwide. And when Gemalto conducted a recent survey of 11,000 digital and mobile banking consumers across 14 markets, we found that 44% would switch banks if theirs was breached. So, regulation calling for greater security and control is, in general, a sensible move in line with what the market is doing anyway.
Beyond the technical complexity of deploying greater security, the challenge here is really about finding a way to secure these services that does not diminish the consumer experience. Financial service providers cannot sacrifice convenience in order to deliver robust security that complies with necessary regulations. If they do, they’ll find that their customers are looking for alternate ways to manage their funds. In fact, in that same survey almost 40% also said they would leave their bank if another provider offered a better service or rates. Not an insignificant result.
There are already a growing number of young people who bypass the traditional financial institutions, and instead transact exclusively via PayPal or Bitcoin or some other disruptive mechanism. If it becomes too difficult, no matter how good or valuable the underlying service is, people won’t use it.
At the same time, financial service providers are also confronted with a fragmented mobile market – especially when it comes to security matters. When faced with multiple device makers, two dominant operating systems and millions of app developers it takes a lot of effort to secure mobile services.
The key to unlocking this opportunity
There are a number of ways in which we can tackle this issue of balancing security with convenience. And it really is a balancing act with the whole trade-off being based on a risk analysis. Historically, banks and other service providers would do this for the service itself, but every user is different and therefore, security should ideally be linked to their individual behavior within a unique user session. A static security scheme for financial services apps has never been desirable, and will soon become impossible. The market is changing too quickly with new technologies, evolving threats and, of course, regulations meaning that authentication needs to be more closely linked to the evolving security landscape.
Using machine learning to create personalized authentication scenarios – Machine learning and artificial intelligence routines can be used to develop personalized authentication profiles for individuals. For example, if it’d be unusual for you to be using your credit card in Ho Chi Minh City at midday on a Tuesday, then it might flag up a second or third level authentication check to permit the payment. But if the card had been authenticated to purchase plane tickets to Vietnam and you last used the card at Heathrow airport to buy a coffee, then perhaps it wouldn’t require it.
In essence, we are talking about using machine learning to create a personalized risk assessment for each individual, with each authentication need. For example, if everything looks OK for this person at this moment in time with this transaction, then the customer will need to do less to be authenticated. However, if it’s an unusual amount, time of day, payee, or some other factor linked to that individual, then it can dynamically trigger the need for a secondary or tertiary authentication measure. The higher the risk identified for the transaction, the more authentication steps will be required.
Using biometrics as a key part of the multi-factor authentication mix – I’ve written previously about the promise of biometric technology as a means of authenticating identity; of course in this space biometrics must be part of a broader multi-factor set of authentication credentials. By this I mean it can play the role of “something you are”, and then you need “something you know” – a passphrase, for example – and something you have, like a physical token. For many relatively low-value transactions, it may well be that a simple biometric reading alone would be sufficient, but if you hit certain thresholds you might trigger a second.
The convenience of the biometric credential overcomes the inconvenience that any kind of identity check might otherwise represent. And of course the more advanced biometrics becomes, the less intrusive it’ll feel, to the point where you in yourself might provide multiple biometric markers for increased security without having to do more than brush your thumb across a screen.
PSD2: unlocking fintech innovation
This is where the opportunity for innovation in the sector lies. By using these mechanisms to create a new set of customer experiences that is not just more secure, but without a cost in convenience or customer experience, banks can start to differentiate. And of course, it goes without saying that the fintech start-ups are already making an effort in this vein, using real-time transaction data to build up a careful profile of each customer and offering other, secure, transaction options to customers.
Few in the industry welcome regulation with genuinely open arms; it tends to mean significant levels of investment, changing processes and cost and complexity. In this case, however, I do believe it is where the industry is going anyway… but the devil will be in the detail. Those who can use PSD2 as a catalyst for innovation, rather than a scapegoat for customer inconvenience, will find they forge a bright future for themselves and their customers.
This post can also be found on Philippe Vallée’s LinkedIn profile.