PSD2: Let’s open up about anti-money laundering and open banking

Across the world, the trend towards open banking is rapidly gaining traction and momentum. The EU introduced second Payment Services Directive (PSD2) to increase competition in a payments sector dominated by a few big payment service providers. Taking Europe as a blueprint, the UK’s Open Banking initiative is now making revolutionary payment services possible, including third-party payment initiation (through Payment Initiation Service Providers) and third-party account access (through Account Information Service Providers).  While PSD2 demands banks release their data to third parties, Open Banking dictates that they do so in a standardised format, so authorised organisations can easily share it online.

From the perspective of preventing financial crime, this creates great theoretical opportunities for banks. They can potentially have access to much more data from multiple banks and products, including customers’ account and transactional data. This data can give banks a better understanding of how customers typically behave – and therefore better ability to spot ‘atypical’ behaviour. But opening banks’ infrastructure to third-party providers, creates a range of opportunities for money launderers and fraudsters who are becoming increasingly sophisticated.  

What are the risks for the market?

Customers are less visible to incumbent banks. Currently, banks’ financial crime systems and controls rely on customers interacting with them. But PSD2 and the growing the number of players in the market have diminished these direct relationships with customers, reducing the proportion of transactions processed by a single organisation. That means individual banks have a limited view of the overall activities of their customers, making it harder to identify suspicious behaviour.

Overall levels of compliance drop and an uneven playing field develops. Banks are experienced in applying rigorous controls given the strict regulatory environment in which they operate. But customers are now being on-boarded by technology firms that haven’t traditionally operated in financial services using more varied methods of verification and without the experience in financial crime risk management. Additionally, the regulators are yet to establish effective methods of monitoring for the increasing number of smaller but significant players. This could reduce overall levels of compliance and make the market vulnerable to money launderers and fraudsters.

Partners against crime. It's time to act. Differently.

What should payment services providers (PSPs) be doing?

PSPs need to demonstrate to consumers, other market participants and regulators that they have robust systems and controls in place to establish, verify and securely store the identity of users. In the longer term, PSPs should move toward a market-wide system that supports the collection, classification and sharing of trusted Know Your Customer (KYC) data. This will enable AML and KYC checks to be more accurate in identifying bad actors, while also taking less resource-intensive internal processes.

What should banks be doing?

The implementation of PSD2 will contribute to building new relationships and data partnerships between financial institutions, helping to protect consumer interests and improve transactional oversight. But to capitalise on the vast amounts of data being channelled through PISPs and AISPs, banks must invest in technology that finds the patterns that indicate crime. This will also need PSPs to share transaction data and intelligence through a central hub that’s underpinned by the necessary legal permissions and security to ensure compliance with GDPR.

What should regulators be doing?

For the market to succeed in this, a number of issues need to be resolved, such as reaching consensus on what kind of data to share, in what form and at which intervals. There will also need to be a balance between current data protection laws and identifying new ways to exploit data.

Regulators and other government bodies will need to continue working with the private sector to develop best practices for how customer account and transaction data is provided to, and used by, financial services firms.

We can’t understate the challenges involved in using open banking to improve financial crime risk management. But the opportunity exists to make financial crime risk management processes more effective and make things more convenient for consumers. Imagine if firms could access a trusted source of transactional data and intelligence from other banks and even other jurisdictions. Such a holistic view of customer activities would be invaluable in the fight against financial crime.

The relationships forged with third-party providers, and the trust placed in the effectiveness of data security across the industry, will be essential to reap these benefits.