Why collaboration and partnerships will beat the fraudsters in open banking
It’s no surprise that one of the bigger concerns we hear from financial institutions across Europe about open banking is fraud and loss, especially as volumes are now growing. Having to verify the regulatory status of every third-party provider (TPP) requesting access to customers’ payment accounts, while monitoring for indications of fraud for each individual request, many financial institutions are facing significant complexity in trying to manage risk.
Having been at the heart of open banking since the start, it has been refreshing to see so many financial institutions now embracing open banking. But banks also have to deal with the reality that third-party providers, with whom they often have no prior relationship and no requirement to establish a contractual agreement, are wanting to access their customers’ accounts.
End users, to a certain extent, are protected by the Second Payments Directive (PSD2) — if they lose money through an open banking transaction, their bank is obliged to pay them back. But this means the challenge and the risk sits with the financial institution.
It’s therefore important for banks to make sure they are dealing with legitimate and regulated TPPs to determine whether a transaction should be processed or not. With the number of TPPs rising, this is no small feat. According to data published recently by Mastercard and Konsentus, as of 31 March 2020, a total of 279 third parties were registered with a National Competent Authority in Europe.
While the UK leads Europe with 129 or 46% of ‘home’ registrations, each country has at least 44 registered TPPs through passporting arrangements. And of course, it isn’t just the newly regulated entities that are looking to take advantage of PSD2. Other banks as well as payments institutions are also able so to do, increasing further the need.
Regulatory-driven change, courtesy of PSD2 and Open Banking in the UK, leads to a complex web of compliance standards just by virtue of having to deal with multiple countries. And, as with all legislation, the devil is in the detail: its only once implementation begins that bumps in the road are uncovered. For example, each third party needs to obtain a licence from a national regulator, and once they’ve received that licence they can passport it to a number of European markets. This immediately introduces a pan-European dimension, dealing with third-party providers from different countries all operating under potentially slightly different regulatory regimes.
There is huge complexity in checking the regulatory status of a third party; consider the challenge for a bank in having to reach out to all of the 70 qualified trust service providers (QTSPs) and 31 National Competent Authorities (NCAs) in real-time. As Brendan Jones, chief commercial officer at Konsentus, explained: “All 31 NCAs and the more than 115 registers they maintain run on different technology stacks; the information presented across registers is not standardised or consistent, and there’s often duplication or information missing.”
The success of open banking in the future will be predicated on innovation, collaboration and partnership – organisations coming together to collectively deliver greater solutions that one organisation could not do alone, ensuring the vital architecture underpinning the ecosystem is robust and secure.
Open banking is an evolution. We agree with Brendan when he says, “The ecosystem is just at the start of its journey, and every participant is learning as we go”. The ultimate challenge is making sure there are compelling propositions for customers, banks and third-parties underpinned by a balanced, robust ecosystem. It’s a case of risk and reward – people will make their data available but there has to be something in it for them. Unfortunately, if there’s more data available and more ways for fraudsters to exploit it, then the sophistication of their attacks will increase. So, it’s essential that we continue to collaborate and keep the fences as high as possible.
The article is very generalist and doesn’t say anything about real challenges ASPSPs might face when verifying a TPP. And why does it have to do with all QTSPs when it’s mandatory to access one to validate the eIDAS. Konsentus and PRETA are bragging for a lont time about reality vs regulation, but all banks need to know is what regulation mandates in order to comply with minimum requirements.