Payment Services Directive 2 (PSD2) is an EU regulation designed to increase competition in the banking and payment industry, while also ensuring consumer protection. PSD2 changes the way people bank and the way banks must think about entitlement management. PwC gets straight to the point with this bold statement, “PSD2 [will] accelerate industry disruption by regulating new forms of Payment Institutions, introducing new interaction models, and mandating the opening of banks’ application programming interfaces (APIs) to third parties.”1 This is no small IT issue. PSD2 is a game-changing regulation with far-reaching implications.
Effective in 2018, PSD2 is a follow-up to the original PSD which affected banks and other payment service providers. These regulations greatly impact a key aspect of entitlement management: the way banks and other financial services authorize third-party access. For example, accountants or mobile apps might need to access customer accounts and perform transactions on behalf of the account holder. Thus, PSD2 affects all banks that do business in Europe and all of their customers.
PSD2 is designed to give consumers more online banking and shopping options as well as greater ease of use. It is designed to support:
While all this is great news for consumers, it puts new and additional strains on banks’ entitlement management programs and can lead to major security risks. Moreover, this greater access must be given within the boundaries of increased privacy regulations, most notably the General Data Protection Regulation (GDPR).
The problem is further complicated by the fact that PSD2 mandates that banks must open up their APIs to third-party developers. Not only do banks have to expose proprietary code, but in most legacy solutions, entitlement management is hard-coded into either the bank’s APIs or into third-party APIs that the bank uses for this purpose.
While these APIs were sufficient before PSD2, banks run great risks by allowing entitlement management to be controlled by any software that can call these APIs. Entitlement management is, or should be, based on business considerations. But any bank whose entitlement management is embedded in APIs that can be run by third-parties has effectively surrendered this vital area of business policy and logic to those third-parties.
Fortunately, there is a straightforward answer to the entitlement management dilemma: a policy-based access control (PBAC) Authorization solution.
PBAC offers banks a chance to separate entitlement management from other aspects of their software by applying business logic to Authorization. For example, it is possible to design a PBAC solution that lets a customer set a limit on what a store can directly debit their account or limit what transactions an accountant can see or execute. You can even design different policies for ATM withdrawals depending on the customer’s location.
PBAC solutions can manage all these scenarios and more because they allow you to build logical rules determining what type of transactions a user can perform and under which circumstances. You can determine how finely-grained you want the controls to be and you can change them on the fly, making them effective immediately. Moreover, PBAC solutions are separate from the APIs that must be exposed under PSD2. This keeps all entitlement management decisions in your hands, since your PBAC solution will have the first and final word in access control.
PSD2 is here, offering consumers greater freedom as well as posing security issues for banks and other financial services. But it also opens additional business opportunities for those who can master the entitlement management and compliance challenges it poses.
A fine-grained PBAC solution puts you firmly in control of your entitlement management process, enabling you and your customers to safely and fully take part in today’s expanding banking and shopping environment.
1 https://www.pwc.co.uk/industries/banking-capital-markets/insights/psd2-a-game-changing-regulation.html