Continuing with our PSD2 series we speak to Brian Costello, Chief Information Security Officer, Envestnet | Yodlee about what it means to the industry’s back office compliance. Finovate: According to Strategy&, 68% of bankers are worried PSD2 will cause them to lose control of the client interface. What’s your advice to these banks?
Costello: While this seems on the surface to be a valid concern, Envestnet | Yodlee has a different perspective from our years of powering innovative digital channel and data-driven solutions. There are, of course, different profiles of banks, but in general the use of third party services that either are not offered by the bank or compete with the bank’s offering do not materially impact competition. In the former case, clients stay or leave the bank, based on the suitability of the bank’s products and services, the effectiveness of the digital and traditional channels (i.e. branch, ATM and phone), and the quality of the experience. In the latter case, competition either drives banks to innovate at the breadth and pace required to keep (and gain) clients or to partner with third parties to expand their service offerings. With this in mind, PSD2 simply requires participation in a payments ecosystem and facilitates client access to their own data. Neither of these negates the bank’s ability to preserve the client relationship via quality products and experiences. Just the opposite, in fact, it empowers the bank to offer expanded payment and data-driven services under the protection of the new regulation. Our advice, therefore, is to identify what services are most needed by their customers and build them or seek out qualified partners to incorporate them into the client experience.
Finovate: Will PSD2’s enhanced security requirements increase friction for end consumers?
Costello: Yes, for those customers that already use consumer-permissioned aggregation solutions today but not for new customers. However, the friction is short-lived as the third party providers (TPPs) will provide a “cut-over” mechanism. Ultimately, participation in the PSD2 ecosystem will provide better protection to the customer, so this small amount of friction is justified and enhances security. It’s also important to understand that without PSD2, friction would have increased for these customers as banks tightened online access controls with dynamic authentication which, while reducing online banking fraud, prevented some aggregation-powered applications from working without customer intervention.
Finovate: How do you suggest banks and fintechs communicate about PSD2 to consumers who are scared to share their data because of privacy issues?
Costello: First, there is good guidance provided by authorities that can be used to craft consistent messages. In general, banks should consider the following key points:
It is the consumer’s data. They control what to share and with whom to share it with.
Exercise due diligence in selecting third parties based on their value to you and your needs. Read their terms of service and privacy notices. If they seem unclear, too broad or otherwise concerning, then find another provider.
Participants in PSD2 are authorized and must follow the laws; including the current Data Protection Act and upcoming General Data Protection Regulation. Consumers are protected by each of these laws and regulators are actively enforcing them.
Finovate: The benefits of PSD2 to fintechs are obvious. How can banks make sure they’re benefiting, as well?
Costello: Envestnet | Yodlee believes that there are many benefits of PSD2 to banks as well. We pioneered Personal Finance Management (PFM) offerings for financial institutions knowing that if the bank had a broader view of their customers’ financial picture, they could offer personalized services, proactive advice, and build better products. PSD2 provides clarity to banks on how to collect, protect, and use their customers’ data to improve their financial well-being. It also reduces banks’ risk as online banking credentials will no longer need to be provided to third party providers.
Finovate: Should banks be worried that, by opening their APIs to third parties, they risk increased security vulnerabilities?
Costello: No, as long as banks apply the same security rigor to these new API end-points as they do for online and mobile banking interfaces. The same controls for vulnerability management: secure builds, patch management, change management, monitoring, etc. apply to PSD2 APIs. As PSD2 takes hold, cybersecurity sharing forums will become a valuable source of information so that all members of the ecosystem (banks, TPPs and regulators) can work together to ensure that all customers can enjoy the full potential of improved payments and data-powered services.
The information, analysis, and opinions expressed herein are for informational purposes only. Nothing contained in this piece is intended to constitute legal, tax, accounting, securities, or investment advice, nor an opinion regarding the appropriateness of any investment, nor a solicitation of any type.