Banks are stepping up their efforts to participate in open banking, which has arrived in the wake of EU and national legislation enacted across the world. The prize for finding the correct mix of security and usability to suit different transactions is big: PwC consultants and the Open Data Institute examined the first 6 months of open banking in the United Kingdom and projected that by 2022, the market could generate £7.2 billion in value.
Participation in open banking — mandatory for banking giants — means not only working with third parties using APIs but also putting consumers in charge of their personal data. Consumer ownership of data is uncharted territory, and success relies on finding the sweet spot between robust security, on the one hand, and ease of use for customers on the other.
Peter Handzus, solution architect at DXC Technology, proposes an electronic identification card (eID), developed for the Slovakian government, as the foundation for a future mobile authentication and consent tool to solve the open banking challenge. The eID card is a proven way of authenticating and authorising transactions using multiple factors dynamically. “It’s a safe environment where citizens always have control over their personal data,” says Handzus.
The Slovakian eID card complies with the European Union’s General Data Protection Regulation (GDPR) and is used to file tax reports, register new companies and apply for social benefits, among other uses. “Citizens can see in advance what kind of data the provider requires to process their request and can choose to allow access only to that specific personal data,” Handzus says.
DXC is building on the robust security of the eID card to develop a mobile eID suitable for financial consumers who need authorisation on the fly. Mobile eID implements cryptography in a unique way, introducing changes of cryptography algorithms and keys, or key lengths, for the next authentication act — while maintaining continuity of service.
Additionally, it deploys a flexible combination of factors, according to transaction type or amount of money. “Buying a new pair of shoes is wholly different [from] authorising a mortgage settlement — finding the assurance fit is the magic,” says Handzus. “You can just click to approve and/or provide PIN plus the extra comfort factor of biometry — facial, fingerprints — or whatever the customer device or smartphone supports. The mobile eID solution can be used solely on mobile or on a PC-mobile combination where on the PC you consume service and use mobile for authentication and authorisation of transactions.” Crucially, this solution complies with all key regulations, including GDPR; the second Payment Services Directive (PSD2) with its strong customer authentication Regulatory Technical Standards (SCA RTS); and Electronic Identification, Authentication and Trust Services (eIDAS).
Achieving the twin pillars of authentication and consent required by the EU’s PSD2 directive is a difficult balancing act, but it is a prerequisite for any actor with ambitions to play in open banking. “The dual objectives — security and user experience — are in contradiction,” points out Handzus. “The proposed mobile eID balances the frictionless transaction desired by customers against the kind of security and compliance that banks must deliver.”