Helping banks meet PSD2 and the continued implementation of open banking regulations

With the introduction of Payment Services Directive Two (PSD2) regulations, banks were forced to reassess their architectures and develop new processes and systems to support open banking for secure third-party payments and improve data transparency for users. We speak to Senior IT Security Consultant Per-Gustaf Stenberg about his experiences from developing PSD2 solutions for Scandinavian banks.

What is PSD2?
In a nutshell, it’s an EU regulation for digital payment services that was proposed in 2013, was passed by all member states in 2018 and went live at the end of 2020 – giving banks the opportunity to roll out solutions. It was developed to promote security and improve data transparency for consumers – and specifically who can access their data – while supporting the increased use of APIs from third-party providers. It was also designed to boost innovation in the financial sector. Secure authorization and authentication are a central part of it.

How did the banks react to the planned implementation of PSD2 regulations?
It depends on a bank’s size, really. Most of the bigger banks put together large-scale, highly-qualified teams to implement the necessary changes. However, many of the small to medium sized banks didn’t have the inhouse expertise to do this, which is where we could support them – our first PSD2 started back in 2019. Interestingly, in conjunction with this, a lot of banks took the opportunity to analyze their architectures and see how they could re-invent them and develop new products as part of open banking. After all, it’s no secret that too much reliance on legacy systems is a security concern, especially for older banks and those that have grown through acquisition and as a result have multiple systems to manage.

How have Ductus been helping banks with PSD2?
At Ductus we have a number of consultants who are experts in exposing APIs and digital services securely online, and having a good understanding of how to implement the PSD2 regulation is essential to this. This is just one part of our larger Secure Your Digital Services solution offering, that we offer across all industries. When it comes to PSD2, we’ve been focusing on authorization and authentication for open banking, and in particular, the technology and processes that revolve around data owners giving consent to third-party providers. Typically, this has meant deploying the OAuth2 RFC standard and specification with an existing identity solution from our partner Curity, which involves integrations with API management and API portals.

“At Ductus we have a number of consultants who are experts in exposing APIs and digital services securely online, and a good understanding of how to implement the PSD2 regulation is essential to this.”

How close is the collaboration with banks?
We work closely together, often as part of a bigger PSD2 project involving teams of integrators, API developers, and mainframe support, along with legal experts who have been interpreting the new regulation. In our role, we often bridge the gap between legal’s interpretation of the regulation and the needs of those wanting to onboard new third party payment providers and expose the APIs to the public. This is a complex technical process consisting of multiple components including TLS handshakes, tokenization and certificate verifications – that must run smoothly. This is further complicated by the fact that it involves the banks, third-party providers, and users who must give their approval for account access to take place, every 90 days.

Has the process been standardized?
Since it’s a relatively new regulation, the processes are still being refined. The Berlin Group – A European Standards Initiative – is developing a PSD2 framework but this is a work in process. What they have published is helpful and it’s regularly updated but it doesn’t answer all the questions. This is something that we are doing while developing and maintaining solutions for our bank customers.

How do Ductus services support the PSD2 and open banking process?
Essentially, we help ensure that tokens within a bank’s system are issued correctly based on the third-party provider in question. They extract information in certificates including finance institution IDs and roles, as well as TLS fingerprints and compare them with the information in tokens before granting or denying authorization. Much of the work involves tailoring this to fit the specific architecture of a bank.

Ductus is typically involved in supporting banks with steps 3 to 5.

Step 3 re-directs the PSU (end-user) through a standard oauth2 flow to issue a consent for a given action to be used by the third party provider, such as perform payment-transaction or fetch account information.

In step 4, a third party provider provides a valid certificate (mutual TLS) issued with certain roles AISP/PISP for a token to be issued with the correct permissions.

The certificate is presented again in step 5. when the third party provider requests the data (open banking) and matches it with the previously issued token.

How many banks have you supported with PSD2?
We’ve worked with quite a number of banks throughout Scandinavia, for example Collector Bank. For some, it was a question of helping meet compliance, while for others it’s been helping them to use PSD2 as a gamechanger for the types of services they offer customers. This usually comes down to the size of the bank and what their customers require of them. But regardless of their plans, as soon as a bank customer requests a third-party service, the bank is obliged to provide it, which means they most probably require a PSD2 solution.

What can we expect to see in the future?
Like many regulations, the launch of PSD2 is just the beginning. New financial OAuth2 and Open ID standards are being developed continuously by the community to improve the open banking experience. These standards will need to be implemented in existing PSD2 solutions to ensure compliance. Our long running relationships with our banking customers means we will be ready to help them as and when they need it.

About Per-Gustaf Stenberg, Senior IT Security Consultant at Data Ductus

Per-Gustaf has been working at Ductus for six years. Originally working with ‘classic´ development, over time he has moved into automating operations with a strong focus on security. He has helped multiple banks implement a successful PSD2 solution.