Behind the API: managing third party risk under PSD2

Open banking is about making the economy compatible with all the other shifts in our new digital lives: online payments, 24/7 services, seamless experiences across channels, and instant payments. And enabling this new payments landscape, there’s one basic component: an interface, most commonly an open application programming interface (API), to open up bank data to account-information service providers (AISPs) and payment-initiation service providers (PISPs).

Through this interface, challenger banks and “non-bank banks” are entering the scene in unpredictable ways, putting billions of euros in revenue at stake. We’ve seen this before. “Traditional business models have been disrupted (or destroyed) due to the rising supremacy of APIs.” Those are the words of an Accenture report that demonstrated the API-based insurrections in multiple industries: Netflix disrupting content over Blockbuster, Amazon disrupting hardware servers over Dell, and Expedia disrupting Thomas Cook through a collection of APIs and its easy-to-use interface.

The most forward-thinking traditional banks are trying to anticipate all these coming innovation inflection points, so that they can turn challenger threats and regulatory directives into business opportunities. PSD2 is creating a fully interconnected payments ecosystem where banks can pursue new revenues, for example, by using customer insights to cross-sell new services.

Customers will get more of what they’ve been asking for all along: personalised, differentiated services and innovative and seamless digital experiences. But as PSD2 creates a customer’s paradise, is it creating a fraudster’s paradise too?

A fraudster will never give up

Similar to how the adoption of EMV in the US led to a surge in CNP fraud, PSD2 will introduce new waves of fraud in never-before-seen patterns. There will be new attacks on the users of new payments services, an increase in “director” and invoice fraud, and new social engineering schemes. Meanwhile, new third party providers (TPPs) will increase transaction volume, and instant payments will decrease the time to make decisions about fraud.

Adding to the challenge is the new “constrained PSD2 view.” Now that third parties can act as intermediaries between banks and customers, banks may find it more difficult to access the customer data that they have traditionally relied on to make decisions about fraud and risk. And because these new providers are associated with new data streams, banks have new kinds of data coming in that they will have to make sense of.

So it’s perhaps no wonder that this McKinsey Survey “indicated that the risk of fraud arising from third party access to accounts is a serious concern and that fraud prevention is a top priority.” McKinsey concludes that banks “recognise that they must invest in fraud management.”

The API at the center

An unknown entity is coming through the API, having clicked: “Pay with my bank account.” How can a bank secure the transaction?

The API-enabled interface at the center of PSD2 doubles as an attack vector. To get at the bank, now fraudsters just have to get at the TPP. A compromised TPP that stores financial data and gets breached can expose a bank’s customer data. A compromised TPP can also lead to fraudulent requests about a bank’s customers and fraudulent payment requests.

Banks are used to existing fraud controls – for example, via Mastercard and Visa systems. Now that there’s a new channel, it’s uncertain how to identify fraud reliably at scale, and it’s certain that fraudsters will seek to exploit that fact.

The orchestration difference

Since fraudsters count on disappearing through the cracks between siloed transactional activities, stopping them requires orchestrating these activities into a complete and connected “PSD2 view.” While they’re managing new risks, banks will also need to protect seamless customer experiences.

Walking this balance depends on a total risk management workflow for PSD2 risk, where risk assessments above specified thresholds either trigger automated escalations, like Strong Customer Authentication (SCA), or manual reviews.

Because PSD2 is a new channel, there isn’t sufficient data to deploy machine learning models on Day 1. That’s why it’s critical to have a system that is architected to train and deploy new machine learning models into run-time production as soon as the data becomes available, with highly effective stopgaps fighting fraud in the meantime.

At Feedzai, we are perfecting the process. Our AI-enabled platform ingests internal and external data to create real-time nano-profiles for every entity in the system, and we apply a combination of machine learning models and configured rules to produce risk assessments specific to each activity. At one of our open banking customers, we are almost done building what we believe will be the world’s first open banking machine learning model.

Underlying our orchestration strategy is an agile, graphical user interface that splits and rejoins customer journeys in order to make the best decisions about risk, without adding friction. And our API connectivity is based on space-grade architecture that simply cannot be hacked into. At one of our bank customers, beyond PCI DSS, we implemented 800 custom security controls to satisfy their requirements for total risk mitigation.

Feedzai for PSD2 is the result of years of data science innovation, in the service of an AI platform purpose-built to fight fraud. But with all the technology that goes into it, what I’m proudest of is how agile it is. Our orchestration is enterprise-grade, but it’s also easy. However a bank wishes to interpret open banking, with all its potential opportunities, Feedzai can make the strategy secure and seamless. That makes us a partner, not just in risk, but in digital transformation too.

About Richard Harris

A veteran in both the finance and technology industries, Richard is helping to lead Feedzai’s global scaling. Before joining Feedzai, Richard held Vice President roles at both Experian and Accertify, during which time he built global sales teams and helped lead regional expansion. Richard has held leadership positions with Visa and PayPal, following various technical and development roles, and has also served as a member on the board of the Merchant Risk Council.

About Feedzai

Feedzai is the market leader in fighting fraud with AI. We’re coding the future of commerce with today’s most advanced risk management platform powered by big data and machine learning. Founded and developed by data scientists and aerospace engineers, Feedzai has one mission: to make banking and commerce safe. The world’s largest banks, processors, and retailers use Feedzai’s fraud prevention and anti-money laundering products to manage risk, while improving customer experience.

This editorial was first published in our Open Banking Report 2018. The Open Banking Report 2018 focuses on topics such as building trust, gaining consent and improving customer experience in Open Banking.