Identity Issues in the PSD2 and Open Banking World

Identity Issues in the PSD2 and Open Banking World

Digital identity is critical for the implementation of PSD2 in particular and Open Banking in general. After all, if you cannot prove who you are to a bank or third party provider, how can they provide you with access to your accounts or make payments from your accounts? In this blog we look a little further under the covers to see the challenges this digital identity raises in the Open Banking world.

What is a ‘Digital Identity?

At many stages during our lives, it is necessary that we identify ourselves to prove who we are. The most widely used and trusted form of identification is your passport or potentially your national id card if such a thing exists in the country where you live. However, while these can be used to prove identity perhaps while opening a new account, they cannot practically be used each time you need to identify yourself digitally though some countries do appear to be experimenting with their national id cards.

When you interact with various web sites today, you generally prove your identity by providing a userid (perhaps your email address) and a password. As time has gone on, most of us have collected hundreds of passwords. The password requirements for different sites varies from a simple 6 character password to at least 8 characters with upper and lower case characters, numbers, special characters etc. As security concerns with userid/password identity grows, requirements have grown for longer and more complex passwords which are even more difficult to remember.

password-identity-issues

Existing online banking solutions augment this by forcing additional challenges when, for example, adding an account to transfer funds to or making a payment over a certain amount. However, to date, these challenges have been directly between the bank and their customer; Open Banking that Third Party Providers (TPPs) will be accessing accounts on behalf of a customer which adds a new level of complexity.

More Modern Mechanisms for Identifying Yourself Digitally

There are a number of companies working on better ways to identify yourself digitally that are far superior to simply providing a userid and password. Biometrics is key to most of these by using some bio metric attribute that you have so that it can be biometrically proven that the person is you. Some examples of this are:

  • Fingerprint recognition is probably the most widely known and used mechanism. https://touchtechpayments.com/ provide a solution based on this.
  • Apparently each person’s heartbeat is different and can be used to digitally identify you. https://www.b-secur.com/ provide a solution based on this.
  • Iris recognition can also uniquely identify a person and this is perhaps best known through its use for passport control purposes.
  • However, it is one thing to verify that a person is who thy say they are, it’s a more complex process to bring that identity across multiple systems which is what is required for Open Banking.

finger-print-biometrics

Securing Open Banking Transactions

In the PSD2 world, there is now a category of organization called TPPs that can act as an Account Information Service Provider (AISP) or a Payment Initiation Service Provider (PISP). These organizations can apply for registration with their local financial authority and once they fulfil the local conditions, banks are obliged to allow them access to their APIs to access customer accounts or make payments on behalf of customers. So when a request comes from a TPP on behalf of a customer, how does the bank know that the particular customer has agreed?

There is a concept of implicit consent whereby the bank is expected to simply trust the TPP when they make a request. However, no bank is likely to be open to accepting implicit consent as the customer could potentially argue they did not ask the TPP to act on their behalf. For this reason, all banks currently require explicit consent from the customer which involves a direct interaction between the customer and the bank using their banking credential.

While this ensures that security is maintained, it slows down the whole process which has the potential to make services provided by TPPs so cumbersome that people won’t use them. So how can this particular circle be squared? Some potential ideas:

  • Having a central trusted service that manages digital identity could be used by TPPs and Banks to trust the identities as they exchange them. A lot of work has been done in this area in the Nordics.
  • It may be that TPPs offer to indemnify the banks against customers who claim the bank incorrectly granted access to a TPP for their accounts. This will obviously require any TPPs who offer this to have absolute faith in their own identity and consent procedures.
  • The banks could agree with a limited number of TPPs to trust them implicitly but this is likely to be subject to a lot of preconditions and regular audits by the bank of the TPP.

One would have hoped that technology could solve this issue in the same way as has been done with specific organizations, for example, acceptance of Google Identity. However, protecting someone’s finances is a different world to protecting emails or other online documents so a lot more research is definitely going to be needed in this area.

 

Written by : Ostia Solutions