Behavioral Biometrics in a PSD2 World

May. 31, 2018 | by BioCatch

The financial services industry is in the midst of sweeping change. Earlier this year, we saw one of the latest shifts with the introduction of the European Union’s revised Payment Services Directive (PSD2).

Though the PSD2 regulation is set to revolutionize the banking industry, it’s also introduced new fraud risks for financial institutions. These risks raise the question once again of how banks can increase security while still delivering excellent customer experiences.

PSD2, in Brief

PSD2 requires European financial institutions to allow third-party payments providers (TPPs) to connect to their internal systems through open APIs. By opening up their data to third parties, customers will be able to pay directly from their bank accounts. The regulation also introduces requirements for stronger authentication based on at least two factors, including:

  • Knowledge, like a password
  • Ownership, like a token or card, and
  • Inherence, like a user’s physical or behavioral biometrics.

Though the PSD2 regulation aims to make online payments less complicated, more flexible and secure, as with any new technology, fraudsters won’t wait to start launching attacks to take advantage of new weaknesses. In this case, that vulnerability is TPPs.

PSD2 and Behavioral Biometrics

Many of the security and fraud controls European banks currently have in place won’t be able to stop fraudsters from attacking banks via third parties. These solutions aren’t set up to monitor sessions originating with TPPs.

Risk begins at the account opening process. Under PSD2, users can open an account with a TPP, and financial institutions are required to let the TPP link to the user’s bank account. Fraudsters are skilled at using synthetic identities to open fake accounts. If TPPs don’t pick up on fraud in the account opening process, banks need a way to spot fraudulent accounts after the fact to protect themselves and their customers.

TPPs do have to meet certain fraud detection levels to stay in operation, and banks can use behavioral biometrics to monitor the rate of fraud in their TPPs to make sure they are acting as secure partners. This is possible through continuous monitoring of user behavior before and after login to differentiate between fraudsters and legitimate users.

This leads to the challenge of authenticating users without introducing friction into the customer experience. PSD2’s Strong Customer Authentication (SCA) section requires two factors for authentication. Behavioral biometrics fall under inherence and is the best way to introduce strong security without customers feeling the effects in user experience.

Behavioral biometrics work in the background to build up profiles based on a user’s unique actions. How do they type or click? How fast do they move a mouse? Any deviations from the norm alert a bank to possible fraudulent activity. This lets banks meet PSD2’s authentication requirements as well as stop account takeover attacks in the initial authentication process or when a user has to re-authorize after a 90-day token expires.

The PSD2 regulation is an opportunity for banks to lead the way to stronger authentication and fraud prevention strategies that will put them well ahead of their peers as the shift to digital continues. Innovation is the way to stay competitive, increase customer trust, and build a world where our payment systems are as user-friendly as they are secure.

Learn more about how behavioral biometrics can help you manage PSD2 risk and compliance in our data sheet.

Topics: Authentication, Technology