Discover how Advocate consultants helped assess the challenges of PSD2 in a Hungarian Bank.
The second version of the Payment Services Directive (PSD2) is a game-changer for banks operating in the European Union. The PSD2 imposes specific challenges on market participant and mostly on the IT departments with the required PSD2-compliance on providing the following functionalities: open up access to the customers’ account through an API, mandating customers to perform Strong Customer Authentication (SCA) in case of online transactions and maintain fraud monitoring systems and the accompanying processes. One of Hungary's bank chose Advocate consultants to analyse the legal requirements and provide an in-depth Business Requirements Analysis for the PSD2-compliance.
Challenges that come with PSD2
The directive mandates bank to open their customers’ data (including several accounts, account history, balance) and allow third party providers to perform certain operations (payment initiation, account history and balance check) with the account owner’s permission. For these operations an independent API must be published (Open API functionality).
Because of the security issues associated with online transaction, the PSD2 requires banks to perform Strong Customer Authentication (SCA) in certain situations (if a user initiates a payment or account information could be seen), which must be carried out with the help of independent, non-mutable authentication elements (with two from the following: something the user knows, something the user has and something that is inherent with the user).
Lastly, the third pillar of the PSD2 was the requirement of having and maintaining an appropriate Fraud Monitoring System which would allow the real-time monitoring and data-gathering of all online electronic payment transactions (Internet Bank, Mobile Bank and cards transactions. These Fraud Monitoring System would be integrated to the transaction origination systems and would be operated/monitored by the team of IT Security, Anti Money Laundering and Compliance Officers.
The main challenge for the bank to be fully compliant with the PSD2 was the lack of information how exactly the directive affects the bank’s internal processes and what kind of IT developments are needed. For preparing an in-depth analysis, senior Advocate IT Business Analysts were asked to help.
How it was achieved - in-depth analysis of PSD2
The complex task of the in-depth analysis was done by our consultants who were responsible for the current process analysis and then deriving the requirements in order to able to comply with the directive.
First of all Advocate consultants performed the task of analysing the current processes and involved IT systems in the online payment transactions, current Fraud Monitoring and Bankcard departments, and cross-checked the current processes with the requirements of the directive. Our consultants have found the following: - for the Open API and SCA on the Internet Bank and Mobile Bank, a new, centralised authentication and authorisation system is needed, which would be responsible for performing the SCA and the SCA-related dynamic linking. - For enabling SCA in case of bankcards, different solutions must be implemented based on the type of the card (debit or credit). Our consultants have prepared the necessary analysis in order to get the full knowledge regarding the to-be processes. - For Fraud Monitoring System integration Advocate consultants have met with industry-leading providers of Fraud Monitoring Systems, gathered information, cross-checked with the law and made a detailed business requirements specification.
For all the three major pillars of the PSD2 a fully detailed Business Requirements Specification document was written by our consultants. The documentation contained the following: - legal references from the directive for all the use cases; - detailed alternatives that could be used to help management decisions regarding how the bank should operate under PSD2; - detailed scorecard for the procurement of the necessary systems, software and integration components;
With the help of our consultants, our client was able to get a full understanding how the PSD2 affects its operations, what kind of process and IT-related changes must be made in the bank. The analysis of PSD2 requirements project from start to finish last just a couple of weeks.