The pixel Skip to content

S&P Global Market Intelligence: New Payments Rules May Open Bank Doors to Hackers, Experts Warn

Experts are warning about a possible rise in fraud and identity theft once technology companies gain access to banks’ payments systems after the introduction of the EU’s second payment services directive in 2018, as watchdogs are still undecided over who will be responsible for any breaches.


Under PSD2 in its present form, banks will have to give third parties such as fintechs and social media companies access to customer data as of January next year, provided the client has agreed to it. Although banks will only be obliged to grant access to companies that have been approved by regulators, the approval process will not include a technical evaluation of data security measures until October 2018, according to the current proposals, which are still subject to review. This has led to fears that data security may be weakened.

‘A losing battle’


“I think [PSD2] will lead to potentially more fraud and more attacks. There are more end points to attack,” said Andrew Davies, a fraud and cybercrime consultant at technology firm Fiserv, which works with banks and insurers.

“PSD2 is good for the banks, good for the customers, good for the fintech companies, and good for the hackers,” Emma Heimonen, Swedbank’s director of digital innovation, said at a conference in July, according to Dagens Industri. Customers may find themselves out of pocket due to cyber attacks, and small fintech companies may be unable to adequately compensate them, she reportedly added.


“Financial firms are fighting a losing battle with hackers, and PSD2 will create something that will be out of control,” said Andersen Cheng, CEO of cyber security company Post-Quantum, referring to the sharing of bank clients’ personal information in a way that cannot be easily retraced. “PSD2, from a cyber angle, is dangerous.”


Cheng’s main criticism was that the personal data that will flow freely from banks to small companies with low handling standards might become easily accessible through the internet, reaching criminals without anyone having been assigned accountability for the leaks.

Companies such as Facebook Inc. and its WhatsApp service will compete with small competitors in the payments and social media sector to monetize the new data resource as fast as possible. This will prompt some companies to compromise security while prioritizing speed and ease of use, Cheng argued.

“It will be much easier to steal money through chat apps,” he said. “The security of banks will depend on the security of social media companies.”

Describing the security of the vast majority of popular social media, chat and shopping apps as “very light,” Cheng added: “Payment initiation service providers will be able to access all the customer’s payment data, but their standards are nothing compared to what the banks are used to.”


 – Banks worldwide are expected to spend $101.6 billion on security technology in 2020, up from $73.7 billion in 2016, according to the International Data Corporation, an IT market data provider.

– In the UK alone, the value of bank fraud that was prosecuted through the courts reached £1 billion in 2016, KPMG estimated, while the number of reported offenses increased year over year, according to the law firm Pinsent Masons. 

– The overall cost of online fraud in the UK likely stood at around £144 billion for businesses and £10 billion for individuals in 2016, according to the government’s National Audit Office.

Short-term pain, long-term gain


From the banks’ point of view, this issue is made worse by the fact that the general data protection regulation also takes hold in early 2018. The GDPR stipulates that companies may be fined up to 2% of their global revenues for losing customers’ personal information. Since banks collect those personal details and share them with other firms, it is unclear where the ultimate liability would lie, according to Richard Francis, a risk manager at Accenture. But banks fear they will be held responsible for data breaches at third parties, he added.


“Banks are working hard to get the regulator to take a position,” said Francis, who consults large banks on their cyber security, including in relation to PSD2.

Brandon Daniels, managing director and president of risk consultancy Exiger in New York, said many of the banks his firm works with have already expressed concerns over PSD2 and are working on mitigation strategies. “There are two primary risks: financial crime and privacy of information,” he said.


Banks and third parties should therefore constantly monitor their networks for “aberrant behavior,” Daniels argued. “If someone says they are based in Glasgow, make sure they aren’t constantly pinging you from Turkey,” he added, pointing out that erratic behavior patterns are often considered a hallmark of either fraud or money laundering.


However, “it’s hard to say” whether third-party providers will adopt adequate security measures in the months before mandatory technical standards are introduced, according to James Chappell, chief technology officer and co-founder of Digital Shadows, a London-based company that monitors hackers’ activity on behalf of financial companies. He thinks attacks against banks and consumers are likely to multiply after its implementation, especially in the period preceding the adoption of a common security standard for third-party access.


Yet, once initial problems are solved, banks hope to be able to detect and stop fraud much quicker than before thanks to the near-instant sharing of information enabled by the new law, Francis said.

For the full article from S&P Global Market Intelligence click below or here.

The risk landscape is constantly changing. Hear about the latest with Exiger.