Open risk engine4/17/2023 ![]() ![]() The Berlin Group standard specifies only the IP-address as mandatory (from 1.0 version).These standards only marginally discuss the sharing of risk and authentication data. In the UK, the Open Banking Implementation Entity (OBIE) is also working on a common API standard, an initiative mandated by the UK’s Competition and Markets Authority in 2016, ahead of PSD2.Also, in Poland (PolishAPI) and France (STET) initiatives were launched by consortia of banks in their respective countries.“NextGenPSD2” is the standard developed by the Berlin Group - consisting of almost 40 banks, associations and PSPs from across the EU.In Europe, several initiatives have been launched to create an open and common API standard for PSD2: Multiple standardisation initiatives are aiming to decrease communication complexity between banks and TPPs. Unusual information about the device or software.Lists of compromised or stolen authentication elements.PSD2 requires the risk assessment to include: Only when the transaction poses a “low level of risk”, then the payment service provider is allowed exemption from SCA. This does require parties to use the same protocols and standards for communicating context data. After that, at the ASPSP, various data points can also be gathered based on attributes of the transaction and of the account.ĭuring this process, the TPP should use the API call to the bank to provide contextual data, which will be assessed within the bank’s fraud engine. The TPP can read various data points based on the device the customer uses and his behaviour. Collecting data starts when a customer performs a transaction at a TPP. Security and risk data consist of contextual data that can be gathered during the entire process of the transaction. Security and risk data should be shared through open and common APIs. In this article, we elaborate on three key points that need to happen in order for banks to make TRA more effective under PSD2. Moreover, although there are several initiatives to standardise the exchange of payment information (through APIs), there is very limited mentioning of standardising context and risk data. ![]() However, with new service providers or Third-Party Providers (TPPs) joining the payment chain, the data is fragmented and distributed across multiple parties. ![]() However, this requires an AS-PSP to perform Transaction Risk Analysis (TRA).įor TRA to be effective, the data about the transaction, the customer and the context needs to be available and analysed, in real-time by the bank (ASPSP). Fortunately, there are exemptions where SCA is not required. Although this increases security, it also introduces unwanted friction in the payment process. It will require every bank (Account Service Payment Service Provider, ASPSP) to apply Strong Customer Authentication for almost every transaction. The revised Payment Service Directive Regulatory Technical Standards (PSD2 RTS) will come into effect in September 2019. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |