New payment service opportunities require strong IT security

Fintech businesses and apps designed to provide consumers with new types of payment services should have been benefitting from new market openness and transparency since January 2018. However they need to make sure they understand their IT security risks and regulatory requirements.
The new opportunities opening up for Fintech firms stem from the revised Payment Services Directive (PSD2), which became effective in the UK on 13 January 2018. The directive requires all types of payment service providers including issuers of electronic money (PSPs) to make significant changes to existing operations and aims to increase competition in the payments industry by facilitating the entry of new players into the market.
PSD2 will have a major impact not only on traditional PSPs such as banks, but also on providers of other and newer payment services. This is because PSD2 also covers payment initiation service providers (PISPs), which trigger payments to third parties on the account holder’s behalf, and account information service providers (AISPs), which can, for example, provide individuals with a consolidated view of all their banking and investment accounts.
Under PSD2, customers of banks (or of any account-servicing PSP) have a right to use PISPs and AISPs where their payment account is accessible online and they have given their consent. This potentially creates a greater incentive for tech start-ups to develop products and services in the payments and electronic money arena – banks will not be able to block them. New opportunities could also open up for technology companies involved in cryptocurrencies such as Bitcoin.
Any tech business wanting to capitalise on these new opportunities will need to consider three core IT security issues:
  • risk management: PSD2 requires all PSPs to establish a framework to manage operational and security risks. In addition, PSPs will need to report at least annually to the Financial Conduct Authority, giving updated operational and security risk assessments, a report on the adequacy of control and mitigation measures, and statistical data on fraud;  
  • authentication: the European Banking Authority (EBA) has produced Regulatory Technical Standards (RTSs) on strong customer authentication. Strong authentication requires customers to use multiple means of confirming their identity (e.g. inputting a code and applying a fingerprint). Although PSPs will have to comply with these standards in most cases, there are exceptions (e.g. contactless payment under £30);
  • communication: secure communication is also covered by the EBA’s standards. Communication between PSPs must be secure to minimise the risk of customers having their funds diverted or altered mid-transaction.
Although the EBA’s standards don’t come into force until 2019, all PSPs need to be taking steps to prepare for them now. All PSPs – existing players and new entrants – need to make sure they understand the requirements of PSD2 itself. It’s worth noting, for example, that PSD2 has a much wider scope than the previous directive. It will apply even where one of the PSPs involved in a transaction is outside the European Economic Area, which was not the case before.   

Information is a key asset of any large bank and PSD2 opens up access to this information letting others gain value from it. This information will likely be personal in nature and will therefore fall under the General Data Protection Regulation (GDPR) which comes into effect next year, so any business that deals in this exciting, new space will have to ensure that they not only meet the requirements of PSD2 but also ensure they are GDPR-compliant.    

Moore Stephens can help existing PSPs and new start-ups to understand and address the IT security and GDPR issues associated with PSD2. In addition if you are developing new forms of payment service, you could potentially be eligible for R&D tax credits, which could help to fund your business operations and our experts can advise on your eligibility. Our team are also able to assist those firms who require support in achieving PSD2 compliance for the first time and also existing authorised/registered PSPs who need to upgrade to the new and higher regulatory and IT standards as required since 13 January. 

For further help and advice, please contact our IT consulting team and our Regulatory Consulting team. 

Leave a comment

 Security code