Feuilles déco Feuilles déco

Strong authentication : What changes following the DSP2 regulation in the banking sector ?

What is the PSD2?

The PSD2 or Payment Services Directive, is a new European directive that came into force on September 14, 2019. It was created with the aim of improving the security of online payments and access to account information. Thus, this directive imposes new obligations on banks and other payment service providers (third-party PSPs) such as account aggregators and payment originators.

It covers 3 major topics:

  • Strong authentication for account consultation and sensitive transactions.
  • Secure communication between banks and third-party PSPs: banks will have to set up a secure system for sharing their customers’ payment information with PSPs.
  • Reinforcement of consumers’ rights: immediate reimbursement of disputed transactions, prohibition of overcharging, etc.

What is strong authentication?

One of the major components of PSD2 concerns theimplementation of strong authentication for account consultation and electronic payment transactions.

It aims to make electronic transactions more secure by strengthening the verification of the user’s digital identity.

An authentication is considered strong if it results from a combination of at least two authentication factorsfrom the following three categories:

  • An element that you possess: smartphone, SIM card, physical key, etc;
  • An element you know : password, secret code, etc;
  • A personal characteristic: fingerprint, facial recognition, voice recognition, etc.

A customer will be required to use a strong authentication method to make online payments or for any other online operations involving a risk of fraud(such as a change of phone number for example).

This double authentication will be required for the connection to the personal online banking space and will have to be updated every 90 days.

However, exceptions to the strong authentication are foreseen, notably for:

  • Low-value transactions (less than €30 or €50 for contactless payment).
  • Transactions considered low risk after risk analysis by the bank.
  • Regular transactions of the same amount and to the same beneficiary from the 2nd and subsequent transactions.
  • Transfer operationsbetween two accounts of the same holder within the bank.
  • Transfers for beneficiaries registered on a whitelist of “trusted beneficiaries”.

What are the consequences of this change?

To access online accounts via strong authentication, it will now be necessary to use, in addition to the current access mode (login and password), an additional authentication device.

The solutions proposed by the banks are specific to each one and vary according to the different types of customers and their technical constraints. For example, customers who do not have a cell phone or who regularly travel abroad, such as military personnel, will not identify themselves in the same way.

For customers with a smartphone, the bank’s own mobile application is the device that is increasingly favored by banking institutions.

This reduces the cost of sending a validation code by SMS and guarantees greater security.

How to choose the right complementary authentication method for its customers?

Generally, the customer service or the marketing department carries out a survey and establishes the personae of its various customers. By identifying their problems, the banks are better able to propose to each type of customer, the authentication method adapted to their constraints

The advisors of the banking institutions and the customer service have therefore a primordial role. They have to inform and sensitize the customers during the migration to strong authentication and are also the entry point for theidentification of possible problems with the customers.

The customers are then progressively migrated to new strong authentication solutions, planned by their bank in an anticipated way thanks to their contact person (generally the advisor).

How does strong authentication by application work in practice?

To replace SMS authentication with mobile banking application authentication, the customer will have to register his phone and link his number to his bank account.

During this registration, the customer’s smartphone will be linked to his bank account. The customer will then be asked to define a security code to access the online banking space.

Do you have a similar problem, or would you like to set up a strong authentication system? Contact us! ?

Article written by one of our consultants.