Despite the enormous changes in recent years, including the emergence of the plethora of significant new market players – including fintech start-ups, established payment, technology, and information firms, telecoms, and other providers, the financial services market is indeed in the middle of a revolution and this is down to both technology and regulations. This begs the question of how financial services incumbents will fare is far from settled and offers a scenario wherein these incumbents looking to grow shareholder value will need to build and sustain new competitive advantages.
The European Commission’s revised Payment Service Directive (PSD2) represents a broad sweep of financial services sector regulations that will come into force next year. In summary, PSD2 creates the opportunity for digital actors to link directly into payment systems via API’s. The regulation will require that banks provide these API’s so that third-party service providers will be able to directly access customers’ accounts. Despite being focused on the European Banking sector, this new directive is bound to bear significance for the South African Banks that have a local presence in the European Union. Even more important is the potential this has for ushering in a new generation of companies that can offer banking services directly to customers, and the innovative impact this could potentially lead to across the globe. But what do these regulations mean for an already broadly reordered marketplace?
Why regulate anyway?
First, it is important to mention that of course regulation in this context is simply keeping up with the market need. We have seen a sharp rise in cyberattacks and breaches, and the financial services sector is a particularly hot target given the assets it holds – last year, our Breach Level Index captured over a billion records compromised worldwide. And when Gemalto conducted a recent survey of 11,000 digital and mobile banking consumers across 14 markets, we found that 44% would switch banks if theirs was breached. So, regulation calling for greater security and control is, in general, a sensible move in line with what the market is doing anyway.
Beyond the technical complexity of deploying greater security, the challenge here is really about finding a way to secure these services that does not diminish the consumer experience. Financial service providers cannot sacrifice convenience in order to deliver robust security that complies with necessary regulations. If they do, they’ll find that their customers are looking for alternate ways to manage their funds. In fact, in that same survey almost 40% also said they would leave their bank if another provider offered a better service or rates. Not an insignificant result.
The power of the millennial consumer
There are already a growing number of young people who bypass the traditional financial institutions, and instead transact exclusively via PayPal or Bitcoin or some other disruptive mechanism. If it becomes too difficult, no matter how good or valuable the underlying service is, people won’t use it.
At the same time, financial service providers are also confronted with a fragmented mobile market – especially when it comes to security matters. When faced with multiple device makers, two dominant operating systems and millions of app developers it takes a lot of effort to secure mobile services.
The key to unlocking this opportunity
There are a number of ways in which we can tackle this issue of balancing security with convenience. And it really is a balancing act with the whole trade-off being based on a risk analysis. Historically, banks and other service providers would do this for the service itself, but every user is different and therefore, security should ideally be linked to their individual behaviour within a unique user session.
A static security scheme for financial services apps has never been desirable, and will soon become impossible. The market is changing too quickly with new technologies, evolving threats and, of course, regulations meaning that authentication needs to be more closely linked to the evolving security landscape.
Using machine learning to create personalised authentication scenarios – Machine learning and artificial intelligence routines can be used to develop personalized authentication profiles for individuals. What we are talking about in essence is using machine learning to create a personalized risk assessment for each individual, with each authentication need. For example, if everything looks OK for this person at this moment in time with this transaction, then the customer will need to do less to be authenticated.
However, if it’s an unusual amount, time of day, payee, or some other factor linked to that individual, then it can dynamically trigger the need for a secondary or tertiary authentication measure. The higher the risk identified for the transaction, the more authentication steps will be required.
Using biometrics as a key part of the multi-factor authentication mix
Biometric technology as a means of authenticating identity is on the rise and of course in this space, biometrics must be part of a broader multi-factor set of authentication credentials. By this we mean that it can play the role of “something you are”, and then you need “something you know” – a passphrase, for example – and something you have, like a physical token. For many relatively low-value transactions, it may well be that a simple biometric reading alone would be sufficient, but if you hit certain thresholds you might trigger a second.
The convenience of the biometric credential overcomes the inconvenience that any kind of identity check might otherwise represent. And of course the more advanced biometrics becomes, the less intrusive it’ll feel, to the point where you in yourself might provide multiple biometric markers for increased security without having to do more than brush your thumb across a screen.
Open banking: unlocking fintech innovation
This is where the opportunity for innovation in the sector lies. By using these mechanisms to create a new set of customer experiences that is not just more secure, but without a cost in convenience or customer experience, banks can start to differentiate.
And of course, it goes without saying that the fintech start-ups are already making an effort in this vein, using real-time transaction data to build up a careful profile of each customer and offering other, secure, transaction options to customers.
Few in the industry welcome regulation with genuinely open arms; it tends to mean significant levels of investment, changing processes and cost and complexity. In this case, however, I do believe it is where the industry is going anyway… but the devil will be in the detail. Those who can use PSD2 as a catalyst for innovation, rather than a scapegoat for customer inconvenience, will find they forge a bright future for themselves and their customers.
By Marwan Elnakat – Digital Banking Solutions Manager for Africa & Middle East at Gemalto