With recent news about EU’s second payment services directive (PSD2), there has been a lot of discussion on what PSD2 means and what it doesn’t mean, and what different players in the PSD2 area can and cannot do. This blog posting comments six statements related to PSD2 and two related to Skadi’s CreditWorthy service. The statements are inspired by the Taloussanomat article on account information services, published on Aug 20, 2019 (article in Finnish).
Through the statements, the article also provides an overview of key points related to PSD2, as well as detailed insight into business that it enables.
1. PSD2 makes things worse
PSD2 may add extra authentication steps to making payments.
On the other hand, the above mentioned extra steps increase information security. PSD2 also enables access to banking using companies other than banks, if the customer so wishes, and lowers the consumer’s responsibility in fraud cases to 50 euros.
With PSD2, customers can use their bank accounts using other companies than banks, too. Banks need to provide their customer’s account information, and enable payment initiation from the customer’s accounts, to other companies, if the customer so wishes. This is enabled by creating special interfaces to these and only these functionalities. In a way, this can be thought as a very limited web channel to a few banking functions, that the customer can authorize, i.e. permit, a licensed company to access, using strong authentication provided by the bank. Licensing is controlled by national financial supervisors in EU countries. E.g. in Finland, the Finnish Financial Supervisory Authority (FIN-FSA, Finanssivalvonta) has registered Skadi as an account information service provider (AISP).
In addition to AISPs, other key roles related to PSD2 are payment initiation service providers (PISPs), which are also new players like AISPs, and the traditional banks, which PSD2 calls account servicing payment service providers (ASPSPs).
With PSD2 in force, payment information is not stored in web shops anymore, but payment is done directly from the bank account with strong authentication, like when paying from one’s account in a web bank. No cards are needed in the middle. This increases information security, as the customer always has control over what is done under her authorization related to her account. Looking at this from the ease of use point of view, there may be additional steps in making payments or accessing the account information compared to some existing services, as the strong customer authorization requires a login kind of an action with almost every event. In early September 2019, it seems likely that the strong customer authentication will not be immediately enforced, which means that web shops can continue to store payment card information for the time being.
Regarding account information services, the customer can have e.g. her bank account info collected from several banks by requesting an AISP to do so.
2. Bank account transactions become public information - external companies can access anyone’s accounts without a separate permission
Bank account transactions do not become public information, and no AISP or PISP will have access to accounts at will. AISPs get access to individual customers’ accounts, if authorized by the customer using strong authentication. This cannot be done without the customer, and the customer cannot do this by accidentally clicking something, because a normal bank authentication is required. The authorization information is stored by the bank and can be checked later if necessary.
Nobody will be able to authorize on behalf of someone else, and banks, AISPs or PISPs cannot authorize themselves to access a customer’s account or to make payments from it.
3. Now somebody can easily impersonate me and just give authorization to my bank account
The authorization is done by the customer, using strong authentication provided by the bank. The authorization information, including the customer’s identity, the amount of payment accounts at the bank, etc. remains between the bank and the customer. Only information explicitly authorized is provided to the AISP or PISP. For example, an AISP will only get the transactions from the accounts that were authorized, but will not know if the customer has more accounts at the bank, and a PISP will get the permission to make a payment of a certain amount from a specific account to a specific other account, but will not be permitted to make other payments, or payments of other amounts.
Because the strong authentication, where identity is provided, remains between the bank and the customer, the AISPs or PISPs will not even know whose bank accounts they are accessing – unless they separately identify the customer themselves. Many AISPs or PISPs may do this, Skadi’s CreditWorthy doesn’t – it just analyses the provided account transactions and provides a report of them, without knowing whose data is in question. The analysis and report are thus not connected to anyone’s identity, but the customer obviously knows her identity.
Just knowing someone else’s account number or national ID number does not enable giving an authorization – a strong authentication using the bank’s authentication is required.
4. Banks have to report when my information has been given to AISPs or PISPs
Banks store the information about authorizations the customer has given. Since the authorizations are made using strong authentication, the customer is aware of the authorization being made, and the authorization can be made only by the customer herself. Thus, banks need not separately tell the customer about what was authorized, or when the authorization was used. The customer can however check with the AISP or PISP what was done, and with the bank what was authorized. When using AISPs or PISPs, the customer is in a contract relation with them, not with the bank. Also, the banks and AISPs/PISPs are not in a contract relation, since PSD2 requires that AISPs/PISPs be able to use the PSD2 interfaces without a contract.
5. I can get rid of this by moving my bank accounts abroad as other countries don’t implement PSD2
PSD2 applies in all EU countries.
6. I can analyze my account transactions myself in Excel
In many web banks, the customer can e.g. export her transactions into Excel, and make calculations and classifications herself. Thus, anyone will be able to manually do the same thing as AISPs do, if willing to put up the effort.
7. Skadi sees the customer’s identity anyway even though it claims not to
Skadi does not identify CreditWorthy’s customers, and the authorization, where identity is used, remains between the customer and the bank. Other AISPs or PISPs may however identify the customer themselves, too.
After the customer has made the one-off authorization to the bank, the bank’s interface returns the account transactions, but not the customer’s identity, to Skadi. Skadi can only access the account information when authorized, and when the customer is present. Skadi provides the result of the account information analysis, a report to the customer, and not to the bank. The customer will obviously know whose report it is, but Skadi will not. Skadi just makes a report based on the data the bank’s interface provides.
8. Credit scoring is a purpose of Skadi’s business
Skadi has built CreditWorthy to demonstrate its capabilities in financial data analysis. Skadi’s capabilities can be applied by businesses in various data-intensive domains, including credit scoring, financial audits and gambling. All account information related business is nevertheless based on the account owner’s authorization.