PSD2: How Cybersecurity Professionals Can Prepare For the New Banking Industry Regulation

The European Union (EU) will see the General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive go into effect in May 2018. My colleagues have already discussed these regulations in a number of blog entries, so I won’t dwell much further here, but I would like to dive into the revised Payment Services Directive (PSD2), another regulation for the EU banking industry that will become effective on 13 January 2018.

Officially known as Directive (EU) 2015/2366, PSD2 will open payment markets for more competition, offering greater choices and better prices for consumers. In short, this will enable bank customers to use third-party providers to manage their finances. These TPPs will be able to build financial services on top of data from multiple banks. In the United Kingdom, there is an order for Open Banking that is aligned to the PSD2 in this regard.

TPPs will fall into two general categories:

• Account Information Service Providers (AISPs) will have access to the account information of bank customers and be able to aggregate and analyze this data for a holistic view.
• Payment Initiation Service Providers (PISPs) will make payments on behalf of users from any of their accounts held across multiple banks.

As TPPs will hold or process financial data, they will also face regulations to ensure appropriate measures are in place for security and confidentiality. As a case in point, the European Banking Authority (EBA) has a consultation paper open for comment through 7 August, 2017, that specifies guidelines to address security risks for payment service providers.

From the perspective of traditional EU banks, the PSD2 requires open access to their customers’ account data and payment infrastructure for authorized TPPs. This will be accomplished through the exposure of application programming interfaces (APIs) to TPPs. As TPPs proliferate or gain in popularity, banks can also expect more business-to-business (B2B) traffic in terms of the total number of connections and/or data volume. Their IT capacity planning process for the network perimeter will need to account for these demands.

By merely complying with the provisions of the PSD2, EU banks will face increased costs to securely enable TPP access to customer account information, increased competition for financial services and the potential loss of a channel for customer engagement. None of these can be viewed as positives by traditional banks. To combat this fate, EU banks may choose to become AISPs and/or PISPs as well. They can develop into aggregators of account information from other banks, initiate payments from those accounts and even offer additional tailored financial services based on a now-complete view of a customer’s finances. This puts them in a better position to compete with new TPPs using personalized services, remain relevant with their existing customer base, and even acquire new clients in the age of open banking in the EU.

With PSD2 just months away, cybersecurity professionals should approach this from one of a few angles based on where they reside.

• EU bank: Understand your institution’s approach to PSD2 (or Open Banking), i.e., another compliance exercise or a strategic initiative. Anticipate increased B2B traffic volume, especially if the goal is to become an AISP or PISP. Plan IT and security infrastructure accordingly to support the required API traffic and the protection of additional customer data obtained from other banks, if applicable.
• Non-bank TPP: Review and comment on the EBA consultation paper to shape the risk and security requirements that will be imposed upon payment service providers. Develop plans to meet the proposed EBA security guidelines in preparation of the final version of the regulations. With access to customer account information from multiple banks, TPPs will be obligated to take steps to securely handle this data.
• Non-EU financial services: Although the PSD2 applies primarily to EU institutions, it would be prudent to monitor Open Banking developments there in the event of similar regulatory actions in your own country or region.