Free Demo
  • Linkedin
  • Twitter
  • Youtube
Contact Us

Connect with a Daon solutions expert

Let us know how we can assist you

  • Product/Solution Information
  • Product Demonstration
  • Request for Proposal
  • Partnership Opportunities

See why many of the world’s strongest brands chose Daon to help them build lasting trust with their customers.

The Changing Regulatory Landscape: Payments and Banking

by Clive Bourke
May 23, 2024

Since 2020, how people bank and pay for items has changed significantly, with behaviors adopted during the pandemic lingering and becoming even more popular. Juniper Research has estimated that the number of people using digital banking globally will reach 3.6 billion this year – a 54% jump from 2020. The American Bankers Association reports that 71% of consumers prefer to manage their bank accounts through a mobile app or computer. And Forbes writes, “99% of banking touchpoints today are remote; no one is talking to a banker anymore.”

When it comes to making payments, ACI Worldwide reported in its 2023 Annual Pulse Report on billing and payment trends and behaviors that 40% of consumers have used a mobile wallet to make any sort of payment, up from 26% in 2019. The Australian Banking Association found that the number of mobile wallet transactions in the country grew from 29.8 million in 2018 to 2.4 billion in 2022. According to Juniper Research’s “Contactless Payments: Key Opportunities, Emerging Trends, & Emerging Market Forecasts 2022-2027,” the global market for global wallets is expected to grow 130% by 2027. A PwC study forecasted that global cashless payment volumes are set to increase to almost 1.9 million transactions by 2025, representing an 80% increase from 2020.

The growth of digital banking and payment solutions has driven the creation of new financial services by banks that only exist online and by software developers, third parties, fintech applications, and other non-traditional providers. Thus, the available customer base has increased and a wide range of people who couldn’t meet the requirements of established banks and payment systems to participate in the market can now take part. For example, mobile money applications let the nearly 5 million people worldwide who use a mobile phone transfer, store, and send money from their phone.

This expansion in financial services and payment providers, combined with the ease of accessing digital accounts, the explosion in personal and financial data available online, and the need to ensure the legitimacy of access and transactions, has resulted in a changing regulatory environment. As new services are developed and new technologies are introduced, the rules that govern them are evolving, too, particularly around authenticating customers and protecting their data. Below are several new regulations that will soon take effect in regions around the world.

PSD3 & PSR1

The idea of strong customer authentication (SCA) for online payments was introduced in the European Commission’s (EC) second Payment Services Directive (PSD2), and went into effect in 2019. In June 2023, the EC announced proposals to update the PSD, with the final version, PSD3, expected to be published later this year or in early 2025. At the same time, the EC has introduced Payment Services Regulation (PSR) 1, which will have the largest impact on strong customer authentication.

According to the press release announcing PSD3 and PSR1, “Today’s new rules will further improve consumer protection and competition in electronic payments, and will empower consumers to share their data in a secure way so that they can get a wider range of better and cheaper financial products and services. These proposals place consumers’ interests, competition, security and trust at their centre.”

The original SCA regulations required that all companies that provided online payment services implement multi-factor authentication (MFA) based on two types of authentication factors for payments initiated by the customer. These could incorporate something a customer knew, such as a password or pin (KBA, or knowledge-based authentication); something a customer had (possession or device-based authentication), such as a mobile phone or smart card; or something the customer was (physical or behavioral-based biometric authentication), such as a fingerprint or biometric facial recognition.

According to “A study on the application and impact of Directive (EU) 2015/2366 on Payment Services (PSD2),” 58% of respondents felt that it had contributed to ensuring a high-level of security for users of payment services. But it also led to increased complexity and friction in the payment process that, in some countries, reduced conversions, use of financial products, and choice of financial products. There was also confusion about which transactions were subject to SCA. Its reliance on smartphone-based methods also limited access for people, including those living with disabilities and older persons.

The modifications to SCA in the new proposals include clearly defining scenarios that are exempt and expanding authentication methods to reduce false declines and accommodate users without smartphones. Updates would also enable banks that issue payment cards to delegate SCA to third parties such as Apple Pay and mandate SCA for mobile wallet registration. They would also remove the requirement that the elements of MFA must be from two different types of authentication factors. So, in theory, MFA could provide successful verification using two passwords or two biometric factors.

These proposals also increase prevention against fraud and spoofing, an attack where cybercriminals impersonate a trusted financial services company to convince customers to share personal and financial information, send money, or download malware. These measures include making banks without proper spoofing protection liable for customer losses to scammers, improving transaction monitoring to detect fraudulent activities, and providing a legal framework for payment service providers to share information about recent fraud attempts.

PCI DSS 4.0

Version 3.2.1 of the global Payment Card Industry Data Security Standards (PCI DSS) was retired on March 31, and replaced by PCI DSS 4.0 for all entities that store, process, and/or transmit cardholder data.

One goal of PCI DSS 4.0 is making security a continuous process and reducing the likelihood of a data breach. It expands the MFA requirement that, in version 3.2.1, only applied to employees with non-console administrative access and anyone with remote access to the cardholder data environment (CDE) to now apply to all administrators and users who access the CDE. Organizations have until March 31, 2025 to implement the MFA changes, so the new rules remain a best practice until then. But, since non-compliance can result in a business losing its ability to accept credit cards, every affected organization should already be working on them.

PCI DSS 4.0 has changed the parameters of what constitutes acceptable forms of MFA. For example, it raised the minimum characters for a password from eight to 12 and specified that passwords must include upper case, lower case, and special characters. It also requires them to be changed every 90 days and disallows repeating any of the previous four passwords.

It also specifies that the MFA system require at least two different types of authentication factors – something the user knows, something the user has, or something the user is – to reduce the chance of account takeover. The system cannot be susceptible to replay attacks, in which criminals capture transmitted authentication or access control information and use it to gain unauthorized access. The MFA system must not be able to be bypassed by any user, including administrators, unless it has been specifically documented and authorized by management for a limited period of time. Every user and administrator must be challenged and successfully authenticate via MFA every time they try to access the CDE.

Open Banking

Open banking allows for financial data to be shared between banks and third-party service providers. It is the subject of many different regulations and proposed laws in countries around the world, all of which are in varying degrees of preparing for and adopting it.

According to digital bank BBVA, “An array of different policy initiatives across jurisdictions have emerged to try to make this a reality, ranging from direct regulatory requirements (such as in the EU, UK, Mexico, Turkey or Australia) to market-coordination (Japan, Hong Kong), guidance (Singapore) and industry-led initiatives (New Zealand, Colombia).”

In the EU, PSD3 and PSR1, along with the Financial Data Access (FiDA) framework that was proposed during the same time, address open banking. Jan Ceyssens, Head of Unit, Digital Finance, of the EC has written: “the FiDA proposal aims to establish a clear regulatory framework to make sure financial services customer are in clear control of their data, and enable data sharing where customers so wish.”

In the US, the Consumer Financial Protection Bureau (CFPB) issued a Notice of Proposed Rulemaking regarding Personal Financial Data Rights last October. According to international law firm Perkins Cole, “…the CFPB’s Proposed Rule regarding Personal Financial Data Rights would create the country’s first federal legal framework for open banking.”

The Banker reports, “Following the lead of open banking initiatives in Europe and the UK, five countries in Latin America – Brazil, Chile, Colombia, Ecuador and Mexico – have backed open finance regulations or are implementing them.” In a press release, the Brazilian Federation of Banks (Febraban) noted that there had been significant growth in the Open Finance ecosystem in Brazil, with the number of people who consented to share their data between financial institutions doubling from 21 million in January of 2023 to 42 million in January of 2024.

In New Zealand, the Ministry of Business, Innovation, and Employment issued a draft law in November 2023 designed to improve customer access and control over their own data, allow customers to request that their data be exchanged in a standardized way, and ensure that those who access data are accredited as trustworthy.

With all this personal and financial data available, protecting it against intrusion is critical to the success of the Open Banking movement. But the requirements vary widely. We’ve seen the SCA with its MFA requirement built into the EU’s PSD3 and PSR1. In Brazil, the rules protecting customer data in Open Banking fall under the Brazilian General Data Protection Law, which simply says, “security: use of technical and administrative measures which are able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination.”

Rigorous oversight by organizations – including the implementation of robust security measures – of all financial transactions, from high-risk to everyday, is the only way forward amidst a constantly changing landscape of regulations and consumer expectations.

Implementing the right MFA for every regulation

Whether decreed by legislation or implemented by the bank or payment services provider to avoid the bad headlines and reputational damage that follow a data breach, MFA can provide the stronger security necessary to protect valuable customer data and businesses themselves.

When it comes to selecting the authentication factors for MFA, choosing biometrics can improve the ease and security of authentication whether the users are employees or customers.

Biometric factors (like fingerprints, selfies, or voice prints) are much more convenient to use than attempting to remember a complex, 12-character password. For example, biometric banking allows an employee or customer to simply place their finger on a reader key or let their phone’s camera scan their face in-app or in-browser to complete an account transaction.

Biometrics is more secure because physical or behavioral (typing speed, key pressure) factors can’t be hacked, forgotten, or shared. They can’t be lost like a smart card or other physical means of authentication. They eliminate the risk of SIM-swapping, a type of fraud that reduces the effectiveness of using a numeric code sent to a mobile phone or email account as a second factor, often used in conjunction with passwords. What’s more: biometrics relies on a template of a person’s biometric – not their actual face, voice, or behavior – to allow secure access. These mathematical representations are impervious to reverse-engineering or hacking, and do not work without the live presence of the genuine person in conjunction with the template.

Multi-factor biometric authentication from Daon is already helping the financial services industry keep fraudsters at bay and legitimate customers happy. Learn more about our solutions.

Get Daon Insights in your inbox.