PSD2 security deadline extension is not a reason for further can kicking

The original deadline for PSD2 compliance quietly passed by at the weekend but it will be another 18 months before UK businesses meet the regulation’s rules on customer authentication.

Nick Caley vice president of financial services and regulation at authentication technology supplier ForgeRock, provided his opinion on what the delay means to companies that must comply.

PSD2 security deadline extension is not a reason for further can kicking

By Nick Caley,

 September 14th marked the original deadline by which banks were required to implement the final element of the PSD2 regulation – Strong Customer Authentication (SCA). However, due to a lack of preparedness across Europe, the authorities responsible for supervising the implementations have provided extensions, with the UK’s Financial Conduct Authority (FCA) pushing it back by another 18 months.

It’s not as if the industry hasn’t had plenty of time to prepare: the long established deadline comes after a phased implementation ‘roadmap’ which has given banks visibility of the required changes to deploy new methods of authenticating customers since 2015. It’s also certainly not for a lack of technology: there are a variety of options on the market that can deliver improved security with frictionless convenience through multi-factor authentication, such as biometrics.

The delays in delivering SCA therefore serve to highlight just how painfully slow the speed of change is amongst the established banking and payment providers across Europe, and this is having a knock-on effect for both consumers and the wider industry.

No SCA? No way…

SCA – which requires that electronic payments are performed with multi-factor authentication – is a crucial element of PSD2. Without it the high-value credentials that customers use to unlock access to their money could be exposed to security threats and the ever-present risk of fraud. Despite security now being capable of seamless experiences, banks have failed to implement it successfully, presenting a potential “cliff edge” scenario that has been prevented only by the European Banking Authority’s decision to offer flexibility on extensions.

This is the latest in a series of shortcomings from the vast majority of banks across Europe, who have failed to provide robust APIs for some time now. Such slow progress is causing a great deal of frustration among the fintech community, who have been developing open banking innovations, and rely on these APIs for their products to work.

However, the real losers here are the banks’ customers, who are getting increasingly frustrated at the frictions, margins and delays involved in their use of day-to-day digital banking, and who often prefer a mobile-only experience, which most banks are struggling to provide. Add to this the increased levels of fraud and cyber-attacks, which put consumers’ vital financial information at risk, and you begin to see why banks need to start prioritising security across their digital transformation as they build exceptional user experiences that put their customers at the centre.

Don’t just comply – compete

Technology innovation is a market force that adheres to no deadlines, and digital leaders in Banking are increasingly delivering better, faster, easier and safer banking experiences. Accenture recently charted the rise of British-based digital only banks, who have grown their combined customer base to 13 million and could triple growth around the globe, having already doubled in the last 12 months — such is the reality of the ongoing shift to customer-centric business models.

This is why banks cannot afford to view this 18-month extension as an opportunity to kick the security of their digital transformation into the long grass. Doing so would risk getting outcompeted by the more agile digital natives. With fintech and big tech poised for the mass adoption of Open Banking enabled services, there is far more at stake for digital laggards than the scrutiny of the regulator.