We mustn’t lose sight of security amidst this Fintech revolution

Fintech is thriving and PSD2 is probably going to do more to bolster this revolution than anything else.  The second iteration of the European Payments Services Directive will facilitate a revolution in the payments landscape when it comes into force next year.  The traditionally large incumbent banks will face increased competition (and many would argue rightly so) from new third party providers of which there are two principal types – Account Information Service Providers (AISPs) and Payment Information Service Providers (PISPs).

AISPs will connect together your various bank accounts and present you with a consolidated view of your total assets, offering users opportunities to better plan, budget and invest their funds more wisely.  PISPs will be able to initiate payment transactions and effect payments from your bank account direct to a merchant using a software bridge, potentially removing the need for an intermediate wallet or (debit, credit, prepaid) card layer.

Earlier this month we also saw a press release from the Competition and Markets Authority in the UK entitled “CMA paves the way for open banking revolution”. This describes a package of reforms that will force banks to implement ‘open’ banking – mandating more functionalitybe delivered by the financial apps many of us rely on, which frustratingly have been limited compared to the fuller, richer online experience.
PSD2 mandates greater control, more flexibility and more openness, whilst the CMA are prescribing more focus on digital access.  Whilst such initiatives offer more choice and flexibility for consumers, they must also address the rising security challenges they introduce. These financial digital superhighways need to be appropriately policed and secured, as do all the end (digital) devices which will now be able to tap in to these networks and deep-mine all this rich and sensitive, personal information at the touch of an app. 

And it’s these end devices which are the most worrying of all - devices are outside of controlled networks and secured firewalls. By definition they are mobile, moving untracked from owner to owner and location to location, and the danger is that without appropriate end device security, this may lead to a lack of trust and disappointingly low levels of adoption by consumers.
It was therefore with some relief that today that I read the European Banking Authority (EBA) consultation document on the requirements for ‘strong customer authentication’ and ‘secure communication’ for PSD2. Inside this 51-page document, the EBA are explicitly soliciting feedback on how ‘strong customer authentication’ should be achieved and implemented, and, with specific reference to end devices (referred to as ‘elements’), article 6 proposes:

“ …the mitigating measures shall include, but not be limited to … the implementation of separated trusted execution environments inside the multi-purpose device”

This is definitely a step in the right direction. Trusted Execution Environments (TEE) are hardware secured areas found in the main processor of connected devices such as smartphones and tablets, set-top boxes and televisions.  They ensure that any code and data (such as sensitive financial information) stored inside the TEE remains protected and isolated from cybercriminals.  A TEE can also provide a secure environment for simpler, yet highly secure authentication methods, for example end-to-end protected biometric authentication or one-time password generation, as well as providing a trusted user interface, securing in-app screen and keyboard interactions, making possible features such as secure balance display and secure PIN entry. 

Trustonic secures connected devices and at the heart of the Trustonic proposition is its Trusted Execution Environment, now available in over 700 million smartphones, growing at a rate of 20 million new devices each month. This phenomenal growth bodes well for PSD2 and fintech innovation more generally, as it means that appropriate level security can be made available all the way through to end user devices, securing critical information and user interaction.

Financial applications secured by TEE technology may just be what the doctor ordered (and what the CMA, EBA and PSD2 mandate) – a scalable and increasingly common technology that delivers hardware secured protection for the end user applications and data that will finally deliver not just true innovation to consumers, but also the much needed security that must underpin such a revolution.