Security and fraud prevention in the new EU open banking regulation triumvirate

Written by Mark Boyd & Mariana Velázquez

Updated at Thu May 02 2024

Who should read this:

Banks, fintech, payments providers, aggregators, API tools providers, consumer associations and financial inclusion advocates, regulators

What it’s about:

Security and fraud prevention will be enhanced in the upcoming European regulations aimed at evolving the open banking landscape

Why it’s important:

Banks, fintech and payments providers need to understand the new security requirements that they will need to comply with under emerging open banking regulations. This is also an opportunity for API tools and identity providers to help the financial services sector introduce components that will strengthen security and anti-fraud approaches.

In our first post, we briefly introduced the three new regulatory packages that will shape the evolution of the open banking and open finance ecosystem across Europe. These three regulatory packages are: Instant Payments, Digital Identity, and the Third Payments Services Directive (PSD3). It is because of PSD3 that we say "packages" as PSD3 also includes the Payments Services Regulation and the Financial Data Access Framework. Together these create what we call the "open banking regulation triumvirate": the ruling regulations that work together to enable stakeholders to innovate with financial and payments services while protecting citizen and business financial health and data rights.

There are four key themes that are addressed across the regulations:

1. Enhanced digital security/fraud prevention

2. Strengthened consumer data rights

3. Shifting ecosystem roles for banks, fintech and other stakeholders

4. Expanded digital financial service opportunities and solidifying of embedded finance service delivery.

Theme 1: Enhanced digital security/fraud prevention

The three regulations all address fraud prevention and digital security:

Regulation	Instant payments regulation (Instant Credits Transfer in Euro)	eID and Digital Wallets regulation (European Digital Identity framework)	PSD3 (including Payments Services Regulation and Financial Data Access Framework)
How this theme is addressed	The Verification of Payee (VoP) obligation requires that payments services providers must check the bank account where the money is to be sent and confirm the details and name, and whether these are a mismatch. The payer may then decide whether or not to send the payment. If this is not provided, the payer has stronger rights to compensation where payment was made to an incorrect account. Payees who have histories of fraud or who have been involved in terrorist activities should also be checked and blocked.	Overall the introduction of digital identity and use of a digital wallet aims to enable stronger authentication and know your customer processes to be introduced where users can confirm their identity and prevent fraud risks.	As with instant payments, PSD3 requires verification of payee for other financial transfers beyond instant payments. This aims to reduce the risk of ‘spoofing’ and strengthen against authorised push payment frauds. Strong Customer Authentication (SCA) processes are also being updated, for example, to ensure transactions are linked with the amount and payee. To simplify authentication, new requirements mean that authentication will only occur once with banks, and reconfirmed with the account or account information provider. SCA will also need to be used when end users first add a virtual payment card to their digital "passthrough" wallet, not just at the time of making a payment. Failure to ensure SCA also introduces new penalties. Changes to two factor authentication are also being introduced. The introduction of the Financial Data Access Framework also seeks to introduce greater trust frameworks when enabling data sharing. Requiring stakeholders to share more data within the ecosystem are also intended to assist with fraud prevention.

Global open banking, open finance and embedded finance systems are creating global digital infrastructure, which means new security risks are introduced that need to be addressed. Without heightened security and safety, consumers are less likely to use online and digital services.

In our ecosystem model, security and privacy is seen as an enabler that acts as a force multiplier for open banking when there is a high level of security and trust:

GIF discussing how various ecosystem stakeholders are impacted by EU open banking regulations in relateion to security as discussed in the blog post

In the payments space, the biggest leap forward from the regulations is the introduction of Verification of Payee API processes as a mandatory requirement (in both the Instant Payments Regulation and the PSD3). This also creates a compensation right for customers where the payment has been made to an erroneous account: if the customer has not confirmed the verification of the account they were intending to send the money to, the payment services provider becomes responsible for reimbursing the client if the money was sent to the wrong account. We imagine this will allay some fears about using digital payments systems and open banking products.

For Know Your Customer (KYC) processes, the mandating of a digital wallet is the core strengthening proposal (Digital Identity Regulation). The vision for the core identity wallet is that it can be used to securely verify one's identity, but it could also act as a credential storage system: storing verified, digital copies of documents like passports and driver's licences and allowing the user to decide which ones to use for which types of verification. For example, perhaps the digital wallet would store all of these documents, and the end user would then share them from their wallet when applying for a loan, but perhaps for something like accepting a delivery, they would only need to show a digital wallet identity confirmation screen to confirm that their identity had previously been verified by a bank or other authorised body.

And for data sharing in an open ecosystem, the Financial Data Access Framework (as part of the PSD3 package) is the key lever. This is expected to define new data models and obligate some data sharing between ecosystem stakeholders to build better anti-fraud datasets. For example, under the Instant Payments Regulation there are requirements that banks and payments providers do a check during the VoP process against red flag lists for anti-money laundering, frequent fraud and terrorism, and we can image that the FIDA Framework will establish the data models that define what should be shared to enhance this kind of database. We think the introduction of consumer data sharing permission dashboards should also mean that consumers should be able to see any previous vulnerabilities or data breaches from the suppliers they are connected to: this will require new data models and data sharing to be in place, another area we think the FIDA should support. Meanwhile, providers are already supporting secure open banking data sharing systems. Raidiam, for example are already working globally to provide a data sharing trust framework for many open banking ecosystems, including in the UK, Brazil and Australia.

Screenshot of Candour identity's value proposition noting they can provide online identity verification services

New technologies are seeking to enhance identity security and reduce fraud

Profile: Candour Identity

Finnish startup Candour Identity aims to leverage AI and biometric technologies to strengthen identity verification. The service aims to offer banks, digital wallets providers and payments services providers a mechanism to use facial recognition to confirm identity and store proof of identity when first registering (for example, by coupling facial recognition with passport verification). After that, facial recognition is used to confirm identity in each use case in under 1 second. Candour’s business model is based on basic pricing, an annual license fee and a transaction fee basis.

What the new regulations mean for open banking ecosystem stakeholders

Banks, fintech, aggregators and payments providers will need to start building out their compliance work program to align with the new regulations and their deadlines. As stated in our introduction, we think that the three regulations should be considered together as they build on each other. The work a bank or payments provider does to prepare for Verification of Payee will inspire thinking about how they should position themselves in the digital wallet space, and in preparing for future data sharing under PSD3/FIDA, for example. In addition, these stakeholders should be thinking of a range of value-added opportunities that could be offered on top of verification of payee and other identity-related services. We discuss some examples in our Q2 2024 Open Banking/Open Finance Trends Report of how banks like ABN AMRO are partnering with fintech and identity providers to deliver a monetized verification of payment API service for corporate customers and online retailers already.

For API tools providers, these new regulatory requirements introduce new opportunities to work with financial institutions to ensure that identity and security systems are robust and integrated into the open banking ecosystem.

Regulators need to start building out data systems to be able to report on the level of security and privacy protection in national open banking ecosystems. We think the APP Fraud annual report recently released by the UK's Payment Services Regulator is a good model for EU regulators to adopt when reporting on fraud prevention in the instant payments area, for example, but we have been unable to find anything of similar quality as yet in how Europe or European member states monitor this type of fraud. (The European Payments Council has an excellent annual report covering trends in fraud in the payments space, but there are not datasets or calculations published so it will be difficult to monitor whether the new regulations are creating the intended impact under current reporting mechanisms.) Consumer associations and financial inclusion advocates will need access to this data to ensure all citizens are being protected as new open banking regulations are implemented.

Fraud prevention and security help protect consumer data and consumer finances. But the three EU regulatory packages also discuss how consumer data rights can be protected more broadly, including how consumers should have access to their own financial data so that they can co-create the value they want with open banking, embedded finance and other stakeholders. We will discuss this in the next post.