Supporting PSD2 with WSO2 Products

  • By Chamin Dias
  • 26 Oct, 2017

Introduction

In today’s world everything is connected. This concept extends to modern businesses too. Many industries have expanded their boundaries by leveraging technology. In the last decade, massive development can be seen in the financial services sector. With increased customer demands and newer challenges many innovative solutions have been introduced by financial service providers. E-remittance, online payments, electronic passbooks, stock handling and online auctions are some widely used services.

These services were created to reach global markets and remain competitive. However, this can give birth to some challenges, especially in the financial sector, because of security and integrity issues among other things. Hence it’s mandatory to have formal regulations in place. In this article we will discuss one such regulation — Payment Services Directive 2 (PSD2) — and how you can address the latest technological challenges while adhering to the standards by leveraging an API-driven business model.

Overview of PSD2

The Payment Services Directive (PSD) is a European Union (EU) standard administered by the European Commission for the financial industry. It was used to regulate payment services and payment service providers throughout the EU. Its main purpose was to make electronic payments more secure while establishing an effective and integrated payment services platform.

PSD2 was introduced in 2015, as the revised version of its predecessor PSD. PSD2 enforces enhanced security measures that need to be implemented by all payment service providers by 2018. At the same time, it aims to ensure better consumer protection for payments, promote the development and use of innovative online and mobile payments, and make cross-border European payment services safer. This will benefit consumers and businesses, and help the economy grow in many dimensions.

Nowadays, most people around the globe prefer online banking. However, users are still concerned about the security of online payment methods and the misuse of sensitive financial information. Due to these reasons, financial service providers must ensure the secrecy and security of online payments. Else, users may not feel confident when making online payments and may have the fear of being a victim of online fraud. This narrows the chances of reaching a wider community.

In PSD2, there are many regulations/mandates to ensure customer protection. Open APIs can be used to expose financial services to the outside world, with customer consent, so that it creates more opportunities through competition and innovation. Moreover, online payment is a global market. Therefore development in PSD2 will have endless boundaries around the world.

WSO2 Open Banking for PSD2-based Financial Solutions

WSO2 Open Banking is the latest solution provided by WSO2, which is made especially for the banking and finance industry. This solution is mainly based on WSO2’s API management, identity and access management and analytics platforms. We will analyze how the capabilities on those platforms were integrated to create a PSD2 compatible solution for banks and other financial institutions.

Figure 1: Overview of WSO2 Open Banking

WSO2 Open Banking assists financial businesses in making their systems PSD2 compatible, well ahead of the proposed deadline (January 2018). It provide greater financial transparency by allowing third parties to consume services. This is done in a secure manner so that financial businesses can expose their services via APIs, while adhering to PSD2 standards. More information about WSO2 Open Banking can be found in the official documentation as well.

Role of APIs in PSD2 and WSO2 Open Banking

APIs are the most important asset in PSD2. Other requirements of PSD2 are there to ensure stability, security and monitoring. PSD2 requires banks to securely expose customers' account and transaction data to third parties through open APIs. This should happen with the customer's consent.

There are many advantages of using APIs in the financial industry, the most important of which is expanding your business on a global scale because. Most organizations today follow API-driven business models that help them digitally transform while ensuring the quality of services.

Figure 2: Expanding the consumer base with APIs

In the financial sector, APIs can be used in many ways to improve business activities while assisting digital transformation. With the right API management solution, you can reap all the benefits of an API ecosystem. Here’s how:

1. Ease of managing digital assets

When services are exposed via APIs, they become the digital assets of a business. With the help of a well-designed API management solution, managing these assets isn’t that hard. Since WSO2 Open Banking is powered by the rich features of
WSO2 API Manager, the whole lifecycle of an API can be easily managed. Lifecycle management is beneficial to both API providers (i.e. the financial business) and API consumers (i.e. the end users). More information can be found here.

2. Value addition to existing systems

To ensure existing customers aren’t ignored in the process of digital transformation, you need to leverage your legacy systems and make them API accessible. APIs are capable of encapsulating the complexities of a legacy system and exposing its functionality, so this won’t be a nightmare. APIs will also overcome challenges in legacy systems — like security, monetization, real-time analytics, etc. — and transform outdated techniques to user-friendly technology. Service orchestration and back-end service combination can also be achieved if required.

3. Proactive decision making

Taking timely proactive actions is a key factor for a successful business. That’s why organizations should use a solution that’s capable of providing valuable insights for faster decision making via real-time and batch analytics. This is a common requirement for the financial industry too. If APIs are used to expose financial services, it’s easier to monitor the usage of that service. With WSO2 Open Banking you can
generate useful business insights through analytics.

4. Improved user experience and latest technology support

Today’s customers expect to access their data and services from anywhere and at anytime. Customers may use different devices at different times to consume the same service and businesses need to facilitate this. And due to the increased popularity of cloud computing and cloud-based services models, customers will turn to the cloud whenever possible to make their tasks easier. Handling these kinds of scenarios is simple with the WSO2 API Manager component in WSO2 Open Banking since it can be hosted on the cloud as well (it is
publicly available for evaluation purposes). With WSO2 API Cloud you have all the functionality of WSO2 API Manager while lowering operational costs and increasing business agility.

5. Establish security and access control

Irrespective of the nature of the digital service, security is one of the most critical factors in a digital business. Since WSO2 API Manager has in-built support for
API security (mainly based on OAuth 2.0), API providers need not to worry about their exposed services. The in-built key manager can handle security and authentication, as well as be extended if the need arises. The four most common authorization grant types are supported by default but depending on your requirement additional types can be defined. If there is a need for more fine-grained authentication, we can use the scope management feature. Since WSO2 Open Banking inherits these features from WSO2 API Manager, it can ensure that your PSD2-based systems are strongly secured.

The above mentioned factors are directly or indirectly related to PSD2 because of the importance of APIs in the regulation. That’s why WSO2 Open Banking ensures your systems are well aligned with PSD2 when exposing services to third parties via open APIs. In order to build a complete software system for banks based on PSD2, WSO2 Open Banking inherits features of some other WSO2 products as well. Let’s see what they are.

Adhering to PSD2 with WSO2 Products

So far we have identified the importance of APIs in the financial sector and how WSO2 API Manager can be used to handle API-related use cases in PSD2. There are some additional requirements to fully meet the PSD2 specifications. We’ll explore how you can adhere to these regulations using the feature of WSO2 products that are included in WSO2 Open Banking.

In order to comply with PSD2, it is mandatory to have the following components.

A comprehensive API management solution

As mentioned before, this is needed because bankers and financial institutions must expose their services through open APIs. WSO2 API Manager is trusted by global businesses across many industries (including world recognized banks), so it can undoubtedly address these requirements. In addition to that, WSO2 API Manager will enable business owners to
digitally transform their businesses and reap the benefits of latest technologies. In the previous section, we already discussed the capabilities of the WSO2 API Manager component in WSO2 Open Banking solution to meet PSD2 standards.

A reliable identity and access management solution

Strong customer authentication is a must for PSD2. Hence financial service providers need a solution that facilitates complex information security mechanisms. The
WSO2 Identity Server component in WSO2 Open Banking is an excellent option for this as it provides secure identity management for enterprise web applications, services, and APIs by managing user identity and entitlements securely and efficiently.

Delivering a single sign-on (SSO) environment, reducing identity provisioning time and securing online transactions can be easily carried out with the WSO2 Identity Server. At the same time, it decreases the identity management and entitlement management administration burden by including fine-grained policy-based access control, role-based access control and SSO bridging. Moreover, managing user accounts is easy with WSO2 Identity Server which enables creating, maintaining and terminating user accounts along with user identities across multiple systems including cloud applications.

When it comes to PSD2, it mandates the use of at least two factors for customer authentication to enhance the security of transactions. There is a separate article describing how to adopt security recommendations for PSD2.

More information about the WSO2 Identity Server can be found in the official documentation as well.

Real-time and batch analytics solution

Analytics is the next requirement of PSD2. Because APIs are the interface which exposes your services to consumers, it’s important to monitor API usage. The monitoring system should also be able to send alerts to the relevant parties if an abnormal action takes place. With
WSO2 API Manager Analytics, this won’t be a problem.

By analyzing vast amounts of financial data, organizations can provide better customer service and optimize resource use. It is critical for businesses to make strategic decisions based on reliable insights gained from analytics about user experience and resource utilization. Taking quick proactive action at the correct time is also a key factor for success. WSO2 API Manager Analytics facilitates a wide range of options to monitor API related activities. It supports both real-time and batch analytics. In addition to that, the alert mechanism can be very useful when it comes to reporting abnormal or fraudulent user behavior. To understand this further read this article on generating insights with WSO2 API Manager Analytics.

WSO2 Open Banking provides business dashboards which are useful for decision making. These dashboards provide valuable business insights and statistics related to business activities performed by PISP (Payment Initiation Service Provider) and AISP(Account Information Service Provider) applications, different currency usage with open banking solution, payments made by different banks and more.

API monetization

API monetization ensures that revenue is generated based on service consumption and is a very important factor for financial service providers who expect to adhere with PSD2. The WSO2 API Manager component in WSO2 Open Banking comes into play with its
support for API monetization.

APIs are making way for new revenue streams and business opportunities. Organizations today have realized the value of their data and services and are pushing to sell them. With API monetization, service providers are given the opportunity to define billing plans based on their revenue generation model. When implementing a PSD2 compatible solution, financial service providers can leverage the API management component in WSO2 Open Banking solution to build the API monetization strategy. This monetization model is capable of defining usage plans, integrating the API platform with a billing engine, monitoring API usage and implementing access control and rate limiting. It also offers the capability to define customized throttling plans with the help of the new Siddhi runtime-based throttling implementation.

Accordingly, it is clear that we can create a fully functional solution which adheres to PSD2 standards by using WSO2 Open Banking, which is based on WSO2 products.

Conclusion

The PSD2 deadline is looming closer and becoming compliant is a priority for all EU based banks and financial institutions. WSO2 Open Banking is designed by integrating the capabilities of WSO2’s API management, identity and access management and analytics platforms. WSO2 Open Banking provides all the capabilities required to design and implement PSD2 compatible systems (for financial service providers), well ahead of the January 2018 deadline proposed by EU.