The arrival of e-commerce and digital banking has been revolutionary for both financial services firms and customers alike. We have saved not only time, but also money as new marketplaces and low-asset business models have thrived on the flexibility afforded by open banking. Never before have we had better control over our money and financial services products.
By Rene Hendrikse, MD EMEA, Mitek
Yet the new-found freedom afforded by open banking has come at a cost. With added convenience comes complacency, as these new services reveal new and previously unknown risks.
Only recently have firms began to step up and secure their online spaces as consumers have been made aware of threats such as phishing, which not only threaten a customer’s main bank account, but also all their other chosen financial providers. As security threats to e-commerce providers will only become more complex, the risk of serious fraud will increase accordingly.
To tackle this threat, banking and e-commerce organisations have to modernise further, but this time under the watchful eye of European and UK regulators. Coming into force on 14th September, the Second Payment Services Directive (PSD2) is set to protect consumers from identity theft and asset takeovers.
It is also taking regulatory compliance and technology challenges to a new level, turning into a strategic and operational challenge for many businesses. Practically, it means that new customers’ identities will have to be verified. But there’s another pain point that not even the banks saw coming.
In the past, it’s not been uncommon to have a joint account or credit card, with only one of the shared holders’ identity verified and known to a bank. This will have to stop under PSD2, and existing banking customers will also have to be re-authenticated. This will place a huge strain on even the most digitally forward-thinking institutions, who may have to re-authenticate the identities of millions of customers, as well as introduce much more stringent identity verification at the onboarding stage. Overall, banks and FS companies must work hard to see the long term gain, not simply trying to overcome the short term pain.
Moreover, the incoming regulation means that banks and fintech businesses will have to authenticate every customer by at least two of the following criteria whenever they want to make an online transaction: something they have, something they are, and something only they know. This could include an ID document, a biometric identifier, and a security question, going beyond simply a card and a pin – as is the current standard. This introduces an additional layer of security to defend against the threat of fraud as open banking grows and e-commerce volumes expand.
Another important regulatory development, pushing digital-first businesses to innovate, is the Online Harms White Paper consultation, launched by UK government earlier this month. It sets the scene for a set of legislative and non-legislative measures aimed at making companies more responsible for their users’ safety online, especially children and other vulnerable groups. It introduces an interesting notion of the duty of care that modern businesses - including financial institutions, shared economy marketplaces and e-commerce companies - have towards their customers and users.
What we’ve also started seeing is a sea of change in consumer attitudes and expectations. This could be in response to both the rising threat of online fraud and the news of impending regulatory changes. It’s becoming increasingly clear that consumers now prefer and place more trust in businesses with robust identity verification in place - even if it takes some of their time to jump through authentication ‘hoops’.
A little friction in a customer journey in the name of online safety is now seen as a good thing. It is also seen as a positive within a partnership or part of a supply chain - as businesses can’t afford the risk of non-compliance under GDPR and other privacy regulations linked to fraudulent identities. That is all well as a concept. But are robust ID checks sustainable for businesses in the long run?
To ‘fight fire with fire’, businesses should use technology as the answer to cyber security and fraud concerns that surface amid widespread technological innovation. For example, online marketplaces are only a fraud risk because technology has enabled their existence, but technology is also the cure. AI-led digital identity verification that authenticates the identity of every customer or user on online marketplaces can significantly reduce the risk of fraud and money laundering online - fighting fire with fire might just work.
What’s more, the simplicity of taking a selfie can reduce compliance costs, improve ROI, and maximise the volume and value of online transactions for businesses. It’s set to benefit large traditional and digital-first challenger businesses alike. It is a good case of compliance enabling further innovation and modernisation in the newest sectors of our economy.
Regulation technology emerging as a result of PSD2 regulation is not just beneficial for online banking and e-commerce providers. Traditional banks will also benefit as it will help them to better understand their customer base. It will minimise the overall risk within their product portfolios by limiting account opening fraud and giving the firm the ability to flag and monitor potentially fraudulent activity. Regulation technology works to benefit not only brand reputation but also overall business practice.
Nevertheless, we have seen that many firms are still in the dark when it comes to planning for regulation such as PSD2. Verifying customers has real safety benefits beyond just compliance - and it’s time to turn to identity verification.