The European Union is about to enforce better consumer protection, including a new liability shift towards Payment Service Providers –PSPs -operating within the market of the 27 member states plus the associated EEA countries (including Norway).  The strong authentication definition from the European Central Bank –ECB–  is incorporated in the new EU Payment Services Directive II (PSD II) which passed the European Parliament April 2014[i], planned to be effective from February 2015.  The ECB Forum of National Banks states:

“PSPs with no or only weak authentication procedures cannot, in the event of a disputed transaction, provide proof that the customer has authorised the transaction.”

Better consumer protection from EU and ECB became a need caused by the far more advanced cyber-attacks on money transactions on the Internet in recent years, increasing financial losses for banks, merchants and end users in the billions worldwide.  Shortcomings of traditional authentication procedures towards the cyber threats paved the way for this new liability shift.

-Moreover, researcher’s reporting of insufficient, but sometimes also improper, anti-fraud countermeasures of pushing payment refund risks to end users reveals information about severe payment market imperfections.  The liability shift corrects these market imperfections.

A troubling payment authentication market mechanism

There are several logic business rationales for market imperfections within the security market affecting payments.  First and foremost; end user’s fascination over convenience is the basic of the marketing mix that PSP’s have to consider and meet.  Second, weak or no authentication always wins over strong authentication in terms of convenience, but not necessarily in quality in terms of the refund risk for the user. Third, weak or no authentication is cheap while strong authentication traditionally is expensive and with cumbersome logistics for both the providers and users.  Consequently, weak or no authentication is the obvious sub-optimal choice of a PSP that has the number #1 priority of being convenient. But this is given that losses and risks are manageable and that high quality of service in terms of security and refund policy, more or less, can be neglected.

The market has consequently learned that financial losses and risks on a tactical level can be managed in several ways by PSP’s in order to avoid the consequences of improving payment security with strong authentication. Fraud insurance is the obvious one, where insurance costs can be distributed back to the users. Pushing liabilities to others is another.–‘Others’ in this context are either end users or merchants which more frequently often are facing refund rejections from PSP’s. The rejections are based on agreed user guidelines and terms and conditions which assume that payment authentication works as intended. Due to the cyber-criminals with new and advanced attack capabilities on payment transactions, the assumption of intentionally working technology of Internet payments have become far less likely.  Consequences for users are already severe.

As an example of the consequences for end users, it has been reported from the British Crime Survey[ii]from 2010 that; “44% of fraud victims didn’t get all their money back, despite both bank guidelines and the European Payment Services Directive requiring that customers who have not acted negligently or dishonestly be refunded.”

– Users are not the only ones that are taking consequences of weak authentication practice. Even PSP’s are affected. Implicit this happens when some PSP’s are adding marginal cost and effort of attacking its own PSP service relative to other PSP’s.  All PSP’s in the market attends in this practice and ends up sooner or later with an unintended procedure of pushing around risks among each other instead of enhancing security of payments.

Unfortunately, avoidance of strong authentication has already shown to be unsustainable for many parties in the society under the pressure of cyber-crime.

What we are seeing is a closed financial market imperfection and shortcomings where sub-optimal business decisions on weak or no authentication of Internet payments make sense. -High quality of service in terms of security and refund policy is something PSP’s so far have agreed not to compete on.  History tells that quality is the first thing that suffers under a cartel regime. Under a financial cartel every service provider is per definition equally secure and this state has to be the perception in the market as well, since users have no other option.  Real problems surfaces when facts tell another story than the perceptions. In the financial market trust is the first to suffer when this occur.

For in-depth analysis of market imperfections, technical flaws and failures and economics of security in the global payment industry, I recommend ‘The Bank Fraud Resource Page’ by prof. Ross Anderson at Cambridge University Computer Laboratory.

The sum of unsustainable tactically made business decisions ends up with the total irresponsibility on the systematic level. It is at this level whole societies unfortunately may have to take the bill.  What we see is that whole nations and populations have been brought into a position of being the victims of cyber-criminals at an unprecedented level. Financial fraud by too easy grabbing end user’s credentials or hijacking payment sessions has rewarded the criminals unpunished with money from users, merchants and banks in the billions worldwide for many years already.  Governmental Authorities are warning about systemic risks within the financial industry and Bank of England states; “Cyber-attacks are top banking risk”[iii].

EU prepares for a better and more sustainable risk management model

The distribution of financial fraud risk between the payment actors is actually what the new PSD II is about. The European Union will by implementing PSD II push 100% of the payment risks back to the PSP’s if not meeting the strong authentication requirement.

By shifting the liability over to the PSP’s if they still maintain with no or weak authentication, the EU also provides incentives of having a better payment standard. The standard will be recognized by a high quality implementation of a sustainable risk model among the PSP’s operating in the inner market, which in the long run will be the best for both the financial industry and their users. In particular we may see (i) an enhanced and more cost effective dispute resolution practice for Internet payments, including (ii) removal of the criminal’s veto over the quality of the PSP’s services.  Both advantages are shared with common interests for both PSP’s and their users building sustainable trust.

A market for innovative and better, faster, easier, convenient and more cost effective strong payment authentication solutions will start from 2015. –Protectoria delivers technology and known-how on ECB compliant payment authentication, automated anti-fraud processing, usability and integration.  Voice biometrics is delivered by our OEM partner VoiceTrust, Munich.

Please, visit our website and download our Strong Authentication whitepapers on functionality and ECB-compliance here.

Let’s hope that this new shift towards better security will at least inspire governmental services and critical service providers where sins of omissions surprisingly enough still are a viable option.

Sources

[i]http://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Fachartikel/2014/fa_bj_1406_zahlungsdiensterichtlinie_II_en.html

[ii] http://www.bbc.com/news/technology-19559124

[iii] http://www.computerweekly.com/news/2240185971/Cyber-attacks-top-banking-risk-says-Bank-of-England