The payments industry is in the midst of major disruption – it is at the tipping point of a global revamp. The modernisation of payment processing has changed the manner in which consumers carry out payment transactions with banks, and amidst such changes, businesses are recording greater efficiencies through transaction data, straight-through processing (STP) and many other modern payment systems. But with great efficiencies come an equally worrying concern – security. The onus now lies on banks and financial institutions to prove to consumers that even with the integration of new payment technologies, security can be assured and is a topmost priority. To do so, banks and financial institutions need to address these 2 issues at hand:
Authenticating the consumer
Customers are naturally wary of adopting new payment technologies. A survey found that a majority (81%) of those interviewed had concerns about new technologies such as contactless payments, leading to 47% of respondents unwilling to use mobile as a form of payment. Therefore, there exists a dire need for banks to continue persuading consumers to adopt new payment systems, and the best way to do so is to directly address such security concerns by exemplifying prudence through authentication.
Authentication is necessary and vital for several types of transactions, the most common being digital banking. Regulations require that any transactions performed over electronic channels need to follow at least two factors of authentication. The typical authentication method would be a username-password combination, followed by a second factor authentication as the consumer’s actions becomes more critical, such as transferring of funds. The second factor authentication involves receiving a one-time-password (OTP), either obtained through a token, or increasingly more common, through mobile. The use of mobile uncovers a grave new concern – although such authentication mechanisms provide a seamless experience, the risk of getting compromised by hackers is high. Mobile apps often have permissions to access your root applications such as messages, and therefore, can easily obtain the information that is meant to provide you with a second layer of authentication.
Such authentication methods are flawed, as the first factor authentication (based on what you know, i.e username and password), and the second factor authentication (based on what you have, i.e OTP, mobile, etc) is still susceptible to hackers.
Perhaps what financial institutions need to do is to firstly comprehend the vulnerabilities in their authentication systems. The next step is to consider the overall architecture of the current system – does it allow enough flexibility to adapt to the latest authentication methods? This is crucial as a combination of step-up, risk based and federated authentication might be required to provide optimal security for consumers. Notwithstanding these factors, the user experience should remain a priority throughout the construction of a better authentication model.
Access to consumers’ personal data
The consumer’s security and privacy hinges on the protection of personal data – thus, financial institutions need to determine accurately which parties can obtain access to such information. While personal data can eliminate information asymmetries, consumers are often unaware of how their data can be used – or misused – by intermediaries.
The General Data Protection Regulation (GDPR) appears to directly address such concerns, ultimately allowing consumers to have full control over their data. The new regulation, which will be in force in May 2018, enhances the requirements for obtaining data subject consent. With GDPR, consent cannot be assumed – it has to be communicated explicitly through a statement or a direct affirmative action. This means that once the regulation is in place, the practice of having pre-ticked boxes or the likes will be considered insufficient to grant consent. Furthermore, under the new regulation, the special categories of data will be expanded towards genetic data, biometric data and gender. The regulation encompasses any transaction that is processed by organisations operating within the EU, or organisations outside the EU that transacts with EU citizens, and imposes strict penalties for any violations.
The GDPR is an example of an upcoming regulation that favours the consumers. Financial institutions need to begin thinking of ways of storing, managing and porting customer information while remaining compliant to the stipulations of such regulations.
Once permission of access is granted to intermediaries, ensuring the access does not compromise the security of the issuer, nor place the consumer data at risk, becomes a concern. From a consumer’s perspective, one approach could be to create a framework that allows customers to view, access and manage their personal data through a digital vault. Financial institutions on the other hand, need to increase their investments in security and authentication measures to avoid potential breaches.
As new forms of payment mechanisms emerge, financial institutions need to take a proactive approach to data security. At the very least, the age old practice of matching username with passwords should be abolished, as it is the most susceptible to hacking. Alternative authentication methods that use analytics, behaviour or device information would provide a stronger barrier against breaches. On an architectural level, APIs should be a vital component in a financial institution’s future strategy, as it has the potential to modernise existing infrastructure and reinforce security.