PSD2 aka Payment Services Directive 2: Identity, Reputation, Security and Privacy

Four Types of Regulation

After having lived and worked in the US, UK, Switzerland, Japan and India, I have formed a view that each country's approach to regulation mirrors how we chastise kids in the family for saying stupid things at the dinner table. Here's how:

• American regulation (Prescription): Go to your room.
• British Regulation (Collective Indignation): You should be ashamed of yourself.
• European Regulation (Penance): Write 'I will not do that again' 100 times.
• Chinese/Indian Regulation (Tiger Parenting): Spank...

PSD2: A Fifth Type of Regulation

PSD2 is a historic intellectual achievement in that it's motivated by innovation, not proscription. Generally, we think of regulators as old, cynical, parental beings that moralise and punish incessantly. PSD2 is more like a series of snapchat messages that a spunky kid in shorts and flip-flops wrote on an iPhone. Or maybe, some grandpa retired banker got jealous of his grandkids having all that fun posting messages from Amazon onto Twitter and Facebook, or using Facebook to log onto everything and exclaimed... why can't I do that with money? Why can't Amazon take me to my Barclays account and voila, I buy that toy my grandkids have been inseperable from...

Regulation as an Instrument of Competition

Unlike those Americans, we Europeans are people of refined sensibilities. This is reflected not just in the stuff we make i.e. Nespresso, Patek Philippe, Prada and Chanel, but also in the enormous value we supposedly place on privacy.

Especially since Eddie Snowden revealed all, we have been using a four letter word called GDPR (Global Data Privacy Regulation) to put Silicon Valley firms where they belong, which is, outside Europe. To some extent, this is a response to how the six US regulators have been pushing European banks where they seem to think European banks belong, i.e. inside Europe.

If the Americans were just prying over our selfies and tweets, we could have lived with that, but no... they want all of their tax cheats that buy a good chunk of our Pradas and Chanels to pay their taxes in America... and that's taking Uncle Sam's arms a bit too close... Swiss Secrecy and GDPR are basically about that methinks.

Enter PSD2... Surprise!

It's quite remarkable then that the Europe of GDPR came up with the idea of allowing Amazon (PISP and thus also the Spamazon of Siberia or Nigeria) to access (XS2A) my bank account (ASPSP) and pay for that funky toy or create a dashboard across my accounts (AISP) without going through Worldpay or Visa. 

As it stands, the times of payments were always a-changing even without Paypal, Apple Pay, Merchant Wallets, PSD2. Bitcoin, P2P payments etc. were going to make existing oligopolies irrelevant anyway. So I find it quite incredible that European regulators chose to accelerate the process of change rather than entrench existing powers, as regulators often unintentionally do.

I suspect there were three motivations involved here:

1. Prevent Silicon Valley folks (Apple Pay, Bitcoin, Amazon et al.) from taking over the money pipes in Europe by defining and driving how payments are supposed to work.
2. Give yet another one to banks, who brought this pain upon us all, by taking consumer screen time away from them.
3. Genuinely promote European businesses, trade and economic integration.

Liberte', Equalite', Fraternite' and Oops... Securite'

Thing is, money is funny. I am not going to go into the high-school orthodoxy about store of value, unit of account and so on here. It's sufficient to say that money is associated with our need to survive with at least half as much intensity as our body parts are. It's one thing for Hacker Hackerovich of Siberia to hack into my Gmail and send incriminating emails, and it's quite another for him to take my money and send it to Ying Yang of Beijing without my knowledge or permission.

And open API access to money... well, really?

Enter Strong Authentication

So grandpa Yanis Technophilis of EBA asks around and Cyber Cyberos of Cyberia says... hey, use that magic bullet of strong authentication. That btw, is a fancy name for making sure that for every transaction, customer Joe Smith proves three things

1. Joe's doing it (Inherence).

2. Joe knows something only he knows (Knowledge).

3. Joe has something he's supposed to have (his iPhone or token).

As it turns out, strong auth is kinda hard... and the hardest part is inherence. Biometrics are one way of showing Joe's the dude but Biometrics aren't particularly fake proof either. Maybe behavioural proof is needed, but I can potentially copy behavior as it's captured in bits and bytes.

If we tie behavior and posession together i.e. force Joe to access the account only through one particular phone... he's not going to keep this account for long is he?

Well... Privace', Usabilite', Securite' is the new cry of the European revolution... 

Enter Identity and REPUTATION Systems... Customer, Who?

If you've been reading along so far and you've been anywhere near a big bank's multiple customer or account databases from the loans, mortgages, savings and cards business, I am sure you're already wondering, "How on the planet will a big bank bring all of that data together underneath a fancy API correctly and cleanly"? 

Single customer view is hard enough, and now PSD2?

And it gets worse.

• How do I, BigBank know that Joe Smith of Yorkshire, coming to me via Amazon is the same dude as Joe Smith of Yorkshire via this tiny startup called Spamazon?
• How do I know that a transaction via Spamazon of a high fraud risk jurisdiction like Nigeria is actually coming via Spamazon (one leg out transaction) and has been authorised by Joe Smith.
• How do I know that Joe hasn't been involved in some infernal fraud involving his account with NotSoBigBank and maybe should have to do 10 more clicks before spending £5000 than he does before spending £50?
• How do I make sure I don't manage to upset my profitable customers while protecting them from Spamazon's creative financial activities?

If we look closely at the sharing economy tools like Uber, AirBnB or Tripadvisor, all of these tools rely heavily on reputation. Drivers and Passengers rate each other on every transaction and the next time they have a chance to meet, they can choose to look at each other's ratings, or reviews and say yes or no to the transaction.

Open that Fraud Account

Reputation can be determined (scored) by a single provider or by a network of providers. When BigBank KYCs a dude and then track his transactions, the dude forms a reputation over time within BigBank's network. If dude fails to pay his bills or runs non stop overdrafts, BigBank hesitates to give him a loan next time. Thing is... dude can keep all his misbehaviour to NotSoBigBanks around the world, and be the nicest bunny that ever opened an account with BigBank.

Credit Scoring is the most common way reputation systems work in finance, and indeed,  reputation works when reputation is shared across a network. Seriously, if you are looking to marry dude, you might want to ask his exes and his friends too and not just rely on dude treating you nice so far.

Unfortunately reputation systems require a notion of shared identity across the network. If Joe Smith misbehaves while using his NotSoBigBank account, BigBank needs a way of knowing that it's the same Joe Smith who's requesting this risky transaction. Maybe BigBank also would like to know that Joe's been returning 90% of his purchases and providing abusive reviews on Amazon, while saying all nice things about Spamazon, which by the way, has a low reputation itself.

Having our Privace' Cake and Eating Our Securite' and Usabilite' cakes too!

So here we are, full circle...

1. We started out with our fine European sensibilities and the need for privacy.
2. Then we realised we needed financial innovation and so we invented usability, disintermediation and APIs...
3. Then the banks cried foul and said... this is money.... what about Security?
4. When we started solving for security, we asked for identifiability and non repudiability (of user, device, transaction, PISP and APSPSP), half the privacy was lost here...
5. Then the banks cried foul and said... oh, but what about Fraud! This is MONEY!!! 
6. When we started solving for fraud prevention, we asked for reputation...

And there went privacy, out, out, out of the window... back to where the Americans left us with Eddie Snowden and the NSA...

PSD2 and is pretty awesome... progressive, bold and innovative, but we probably need to rethink privacy... similar to how we kept cameras on the granny that trashed the little cat in London... to make it all work.