Open banking and Strong Customer Authentication: learn more in this article.
Jack Dorsey is the CEO of Twitter. This summer, his name was in the headlines for an unpleasant event: his personal account was hacked and used to spread offensive and racist tweets online.
It took several hours to solve the problem and make the necessary checks. As a result of these events – a similar event had already occurred in 2016 – the platform said it wanted to launch a serious security campaign, to reduce attacks of this type, and prevent the publication of inappropriate content.
Another hacker attack caused a sensation this summer: the attack on the security firewalls of loan and credit card giant, Capital One Financial. The attack resulted in a massive breach of customer data—more than 100 million US and more than 6 million Canadian customers’ personal data was affected. The damage to the bank was estimated at between $100 million and $150 million from multiple customer notifications, enhanced credit monitoring and, naturally, legal assistance. This doesn’t include the expenses related to remedy the flaws in the security system that made the attack possible in the first place.
Obviously, the case of Capital One is not an isolated one. Unicredit, the Italian banking giant, was recently the victim of a computer attack which involved the personal data of 400,000 Italian customers with personal loans. Although no data that would allow access to customers’ current accounts or unauthorized transactions was acquired (passwords, personal data or iban codes for example) the infringement revealed a certain fragility of the security systems implemented by Italian and foreign banking institutions.
These cases are certainly not intended to be a cause for concern or dissuade the reader from using digital tools.
On the contrary, they represent the starting point for a reflection on the importance of cybersecurity for any type of activity that takes place on the web. This is an issue that must be addressed systematically in order to guarantee more pervasive and effective security measures, especially when sensitive information such as citizens’ personal or banking data is involved.
On the other hand, it is not enough for a single credit institution or a single company to implement an effective, top of the line defence software, since none of these subjects are a “closed system” that works in a totally isolated way.
On the contrary, digital technologies are increasingly pushing organizations to develop more widespread, horizontal security models where more parties take part, sharing competencies, platforms, and information. This is along the lines of Blockchain, the innovative shared registry technology that facilitates the processes of recording transactions and tracing assets through a network of blocks to which a limited number of validators have access.
With the approval and entry into force of European Directive no. 2366/2015 (PSD2) on September 14, 2019, even the European legislator seems to have accepted the need for systematic action to ensure security in the online payments sector.
This is all the more so if we consider that one of the aims of PSD2 is to transform the European banking market into an Open Banking area by providing for the inclusion of new parties who were formally excluded before today.
What is open banking?
The term Open Banking refers to the collaborative model between several players within the financial market outlined by European Directive 2366/2015.
It establishes that all credit institutions have the obligation to be open to third-party providers who are authorized to provide financial services previously provided exclusively by banks. This is via APIs, the set of functions and procedures that allow any application to access data and / or the audience and functionality of other digital services.
In essence, this means that banks operating in Europe lose their monopoly on the financial data of their customers, who will be able to decide to manage and monitor their current accounts by turning to companies other than traditional credit institutions.
While this will widely benefit customers, it is undeniable that this opening of the market puts the issue of security even more at the forefront.
Obviously, the presence of more financial services providers will increase competition, significantly reducing costs for consumers and giving great impetus to traditional banks to digitize and implement innovative solutions capable of meeting the needs of customers and make these institutions more competitive.
At the same time, however, it could take the risk of attacks more widespread, since more people will have access to sensitive data and information. For this reason, the PSD2 provides a series of important innovations related to security and customer protection to prevent fraud and violations such as those indicated at the beginning of the article.
Security X3: Strong Customer Authentication in the open banking
The European Directive provides, as one of its most important measures, the mandatory introduction of Strong Customer Authentication (SCA) for those who provide online payment services, since the classic authorization process based on the insertion of a username and password is no longer appropriate.
The Strong Customer Authentication provides the two-factor authentication system, which requires two steps or a double authentication factor in order to make it more difficult to steal credentials and more secure verification of the user’s identity.
In particular, PSD2 establishes that SCA requires at least two of these three elements:
- an element of knowledge, which is something that only the customer knows and can be a code or a password, for example;
- an element of possession, exploiting something that the user has in his immediate availability, such as a token or badge, a smartphone, or any other mobile device;
- a biometric element that concerns the physical characteristics of the user himself. In general, specific and identifying attributes are used, such as fingerprints or facial or voice recognition. More rarely, but also included in the category are biometric behavioral parameters or a retina scan.
Therefore, starting from September 14 of this year, any user who wants to make online payments or money transfers using digital services offered by banks or TTP, will have to meet the authentication requirements by providing two of the elements listed above.
This innovation will necessarily have a significant impact on the customer journey of users who will see fewer intermediaries but increase the steps required to perform certain operations.
This has caused a great deal of concern to e-commerce or digital payment services providers in general, who on the one hand must analyze and possibly review the customer experience offered and on the other, fear that the additional steps required by the Directive may have a negative impact on the overall business.
According to a study from Stripe, a digital platform for corporate financial management, there is a risk of losses in terms of missed purchases, which could reach €57 billion.
Customers may perceive Strong Customer Authentication as difficult, and this risks increasing the probability of users abandoning the purchase, a problem, among other things, particularly felt among operators in the e-commerce sector.
The market needs confidence
Despite this, the SCA seems more necessary than ever, even in light of market trends.
According to the B2C eCommerce Observatory of the Italian university, the Politecnico di Milano, which monitors the performance of the sector, online purchases in 2018 showed a marked increase over the previous year. The total value of the market exceeded €27 billion, with an impressive growth of 16%. Online product purchases reached €15 billion, marking a 25% increase compared to 2017. Purchases of services reached €12 billion, growing by 6%. The areas that have shown the best performance are information technology and consumer electronics (€4.6 billion and growth of +18%), followed by clothing (€2.9 billion and +20%) and furniture (with €1.4 billion and +53%). As far as services are concerned, tourism dominated, reaching about €10 billion, with growth of 6%.
Despite this, there is still a sense of insecurity among many consumers in making online purchases, also because of news such as those reported above.
For this reason, the SCA is a welcome addition as a mandatory condition of every purchase: it is essential to provide solutions that reassure consumers and give them confidence in e-commerce tools.
Better communication for a greater safety in the open banking
Obviously, this issue can and must be resolved as effectively as possible.
Among other things, there is time to do so, given that on August 1, 2019, the Bank of Italy issued a press release stating its intention to grant an extension period that will move the obligation to comply with the new legislation beyond September 14.
The European Banking Authority has given the national authorities the possibility of granting further time, compared to 14 September and therefore the Bank of Italy considered that a gradual migration could greatly reduce the risks of inefficiencies in online card payments.
This extension period will be limited and will depend on the maximum period that the EBA will communicate. In any case, those who have time cannot and must not waste it.
It is now more necessary than ever to communicate these changes clearly and precisely to users, explaining the benefits that this legislation will bring. In doing so, however, it must be borne in mind that this is a complex matter that is not easy to communicate: choosing the right medium is essential.
From this point of view, Poste Italiane represents a virtuous example to follow.
A successful case study: the case of the Italian postal service
With the advent of PSD2, the Italian postal service, Poste Italiane, has adapted to the new provisions, setting itself specific internal objectives that would allow it to comply with the Directive.
These include maintaining a high level of security for customers, as well as ensuring maximum transparency. This means helping them become familiar with the new SCA and also providing consumers with all the necessary information to make the Directive 2366/2015 intelligible and, therefore, make the changes understandable.
To do this, Poste Italiane has provided a specific section of its website dedicated to PSD2, explaining the advantages and changes that it brings, and has also included a video tutorial to show the various steps for SCA authentication.
The choice of video was strategic to make technical content more easily usable, and at the same time, to be sure that all important information is correctly conveyed.
A simple video would not have been enough to achieve these goals. For this reason, Poste Italiane has used collaboration with Doxee, a partner with great experience in the creation of engaging video content. Doxee created a video with specific features to help Poste Italiane pursue its objectives of clarity and effectiveness.
First of all, the video was made interactive by inserting text, images, and audio that explain all the steps to follow, guiding the viewer from start to finish.
Secondly, the presence of special call-to-action clicks directly inside the video was inserted to allow users to navigate through the various choices and follow the explanations and the relevant steps.
Thanks to these characteristics, Poste Italiane was able to provide a truly effective service that engaged and encouraged action from its customers.
Moreover, Doxee Pvideo® is the ideal solution to create business content that is consistent with the expectations of users, who are at the center of a surprising and innovative customer experience, that adapts perfectly to their needs, and that provides them with the ability to independently choose the content to be enjoyed.
This obviously increases the number of users who view all of of the video content and who respond to the CTAs inserted, also thanks to the fact that it is not necessary to leave the video to perform certain operations (which is a good thing, given that video content of this type is mainly used by mobile).
In this way, with a single digital solution, Doxee Pvideo®, each company can work on different KPIs, such as awareness and conversion, and improve the company’s reputation among customers, who will perceive them as more attentive and in step with the most innovative technologies.