EXPERT OPINION: PSD2: It’s time for businesses to put their digital ID verification solutions to the test

The proliferation of open banking, e-commerce companies and shared economy marketplaces has empowered consumers, allowing them to benefit from better deals, access new products and get a better grip on their spending habits.

Yet, the flexibility of open banking and other payment solutions has revealed previously unknown risks to firms and consumers. It quickly became apparent that, in the case of open banking, it is possible to not only defraud a consumer’s primary bank account, but also services provided by their other chosen financial service providers, leaving the consumer’s digital identity compromised. Now that consumers are becoming more familiar with e-commerce fraud attacks such as phishing, digital identity fraud including payment systems is something that is still relatively news to the public. Furthermore, these threats become more sophisticated as the industry continues to grow, the potential for fraud can only increase.

To tackle this threat, banking and e-commerce organisations have to modernise further, but this time under the watchful eye of European and UK regulators. Coming into force on 14 September, the Second Payment Services Directive (PSD2) is set to protect consumers from identity theft and asset takeovers. It is also taking regulatory compliance and technology challenges to a new level, turning into a strategic and operational challenge for many businesses. Practically, it means that new customers’ identities will have to be verified. But there’s another pain point that not even the banks saw coming.

In the past, it’s not been uncommon to have a joint account or credit card, with only one of the shared holders’ identity verified and known to a bank. This will have to stop under PSD2, and existing banking customers will also have to be re-authenticated. This will place a huge strain on even the most digitally forward-thinking institutions, who may have to re-authenticate the identities of millions of customers, as well as introduce much more stringent identity verification at the onboarding stage. Overall, banks and FS companies must work hard to see the long-term gain, not simply trying to overcome the short-term pain.

Moreover, the incoming regulation means that banks and fintech businesses will have to authenticate every customer by at least two of the following criteria whenever they want to make an online transaction: something they have, something they are, and something only they know. This could include an ID document, a biometric identifier, and a security question, going beyond simply a card and a pin – as is the current standard. This introduces an additional layer of security to defend against the threat of fraud as open banking grows and e-commerce volumes expand.

Another important regulatory development, pushing digital-first businesses to innovate, is the Online Harms White Paper consultation, launched by UK government earlier this month. It sets the scene for a set of legislative and non-legislative measures aimed at making companies more responsible for their users’ safety online, especially children and other vulnerable groups. It introduces an interesting notion of the duty of care that modern businesses – including financial institutions, shared economy marketplaces and e-commerce companies – have towards their customers and users.

What we’ve also started seeing is a sea of change in consumer attitudes and expectations. This could be in response to both the rising threat of online fraud and the news of impending regulatory changes. It’s becoming increasingly clear that consumers now prefer and place more trust in businesses with robust identity verification in place – even if it takes some of their time to jump through authentication ‘hoops’. A little friction in a customer journey in the name of online safety is now seen as a good thing. It is also seen as a positive within a partnership or part of a supply chain – as businesses can’t afford the risk of non-compliance under GDPR and other privacy regulations linked to fraudulent identities. That is all well as a concept. But are robust ID checks sustainable for businesses in the long run?

To ‘fight fire with fire’, businesses should use technology as the answer to cyber-security and fraud concerns that surface amid widespread technological innovation. For example, online marketplaces are only a fraud risk because technology has enabled their existence, but technology is also the cure. AI-led digital identity verification that authenticates the identity of every customer or user on online marketplaces can significantly reduce the risk of fraud and money laundering online – fighting fire with fire might just work.

What’s more, the simplicity of taking a selfie can reduce compliance costs, improve ROI, and maximise the volume and value of online transactions for businesses. It’s set to benefit large traditional and digital-first challenger businesses alike. It is a good case of compliance enabling further innovation and modernisation in the newest sectors of our economy.

Regtech emerging off the back of PSD2 will be a rising tide that lifts all boats. Not only will it allow financial services and e-commerce firms to better know their customers, but it will also significantly reduce the risk of customer identity and product portfolio fraud. Practically meaning that post PSD2, account opening fraud could be considerably limited, while the rightful ID owner being alerted to potentially fraudulent activity in real time. This is a no brainer from the reputational and risk-management points of view.

With the PSD2 deadline looming, this begs the question… is your business ready to blindly trust without being able to verify?

Rene - Mitek

Author: Rene Hendrikse: MD, EMEA – Mitek