• Elias Thomaidis, Senior Manager-Digital Security at Hitachi Europe


• 10.07.2018 07:45 am
undisclosed

Transaction processing for corporate banking operations are on a completely different scale to the retail-banking world in terms of both value and volume.  The resultant revenues form one of the main profit drivers for banks and according to the 2017 Cap Gemini World Payments Report, it is estimated that there will be a staggering 108bn corporate non-cash transactions globally in 2018 with around 27bn of these in Europe.

The corporate payments sector is competitive with strong growth and although moving along with the digitalisation process, it is held back by a number of historical inefficiencies that make it challenging to ride on the crest of the digital wave. Current solutions out in the market result in high friction for the customer making the payment process slow.

On the corporate side the banks therefore tend to focus on the relationships with their business customers and are strongly motivated to provide innovative and secure services that both improve their customers operational process and efficiency as well as securing both end-customers and themselves against potential loss from fraudulent transactions and identity theft.

According to the 2017 AFP Payments Fraud Survey, there was a dramatic rise in the number of businesses hit by payments fraud in 2016 when compared to 2015.  Around 70% of the treasury and financial professionals surveyed said they were reluctant to embrace mobile payments for their enterprises due to lack of confidence in security.

The same report further highlights how little some companies are spending on cybersecurity as a percentage of the overall IT budget despite the growing risk from ransomware, phishing and other malware.  With predictions by IDG’s CSOOnline.com in their Jan 2018 Cybersecurity Business Report that cybercrime damage costs will hit $6 trillion by 2021, we see that there is still a long way to go in securing the world of online business.

Corporate payment providers need to consider multiple security elements within the transaction.   On the authorisation side, protection from identity theft is needed and with large multi-national companies having hundreds of staff making payments on a daily basis, a solution that lacks a modern security process is critically exposed.

Non-repudiation

Identity assurance for login and transaction signing based on practical, secure and easy-to-use biometric features can greatly simplify the process and more importantly improve the overall security and integrity of the transaction. Biometrics allows a transaction to be tied to the individual via non-repudiation. For example, in a common two-factor authentication process the person making the payment uses a Chip and PIN terminal or has a password along with a hard or soft token to secure the transaction. This leaves companies vulnerable to fraud as Chip and PIN cards, tokens and passwords can be shared, written down on pieces of paper lying around desks or simply provided to junior staff as management have other responsibilities than to process and authorise payment transactions. This provides the perfect environment for fraud to be committed because the process allows anyone with the correct PIN or password to perform a transaction.

When the company identifies the suspicious transaction and reports it to the bank an investigation is launched.  If it is found that credentials have been used due to a breakdown in process as described above, the bank has every right to ensure the company foots the loss. However, since corporate customers are so crucial to the bank’s P&L, we can see that on many occasions these losses are simply absorbed by the bank. The last thing the bank wants to see is a corporate customer moving their business along with all the long-term revenues and fees that they generate.

By introducing Biometrics as part of the authentication process, the transaction is then associated to the person making it in a non-repudiated manner.  Therefore, an individual committing fraud cannot state “I didn’t make the transaction, it is my manager Rob Smith’s authentication credentials not mine!”. 

PSD2 and Regulatory Technical Standards

Since the European Banking Authority (EBA) released a discussion paper on authentication and secure communication in December 2015, there has been much debate within the Eurozone community on the levels of security that should be incorporated in the legislation. The requirement to have at least two of “knowledge”, “possession” and “inherence” included in the authentication process, is a step in the right direction. With the final version of the Regulatory Technical Standards (RTS) having been released in March 2018 there is now an 18 month period where banks need to comply with these new requirements.

For low value transactions (i.e. via a Retail online banking app), the security standards are not as onerous as say large value Corporate payment transactions. PSD2 and in particular the RTS sets out how banks must ensure their transactions are secured. One of the key aims of this legislation is to establish a platform for effective and integrated payment services, making electronic payments more secure whilst providing a frictionless user experience.  By introducing authentication by inherence within the legislation the EBA is putting in place a framework where Biometrics can be used to secure transactions which ensures an end-to-end non-repudiated transaction process protecting both Financial Institutions and the customers (be it Corporate or Retail) alike.

With only 15 months left before the Regulatory Technical Standards directive is set to kick in, banks are advised to review all their payment transaction processes and look to ensure Biometrics play a key part in securing both their business and that of their customers.