PSD2: Lost in TAN
Customers are annoyed by stricter security standards in online banking. But what many do not know: A new policy terminates the banking monopoly on account data.
Postbank customers should be prepared: Anyone who does their banking business online will find September 8th a special day. Then the so-called mobile transaction numbers, short TAN, lose their validity, at least at the Postbank: The bank no longer sends TAN by SMS, with which customers have so far authenticated their banking transactions. "It is important for Postbank to always be up-to-date with the latest technology," says the bank quite succinctly on the homepage. Instead, users should now use the Postbank app or generate TANs at home with an additional device.
Not all banks in Germany are as radical as Postbank and simply switch off the TAN procedure via SMS. But all banks need to make their online banking procedures safer. On 14 September, the Second EU Payment Directive will enter into force, PSD2 for short. It stipulates that every customer must not only provide a password or the card number including the security code when making an online transfer and paying by credit card in the online shop, but also identifies with another factor: This can be a TAN Password, a digitally transmitted fingerprint or face recognition. The TAN lists on paper will definitely be invalid from mid-September.
Customers and commerce are upset
The change is currently irritating many bank customers, they are annoyed and vent their anger in online forums because they need to reorganize their banking and credit card payments. The industry newsletter finanz-szene.de is already joking about the "PSD2 grandmothers" whose sons promise "for weeks to finally take care of the 'Verified by Visa' box, but then do not do it". And the retail industry is upset too. "The two-factor authentication is much more complicated, the fewest consumers know it.The trade must explain it to the customers, because the banks fulfill this task sometimes unsatisfactory," recently criticized Ulrich Binnebößel from the German trade association (HDE). Because it is so complicated especially with credit card payments, the financial supervision Bafin now since the middle of the week postponement. It allows payments by credit card on the Internet temporarily with the previous, simpler security provisions.
In the end, personalized discounts?
On the other hand, there is hardly any focus on further regulation of the Directive, which could have far greater impact on consumers than the new authentication. In order to promote the online competition, Brussels is also ending bank monopoly on account data. Banks need to open their technical interfaces to customer accounts for other companies if customers agree. Little allows such a detailed and relentless look into the lives of the citizens as account data: where does the account holder regularly purchases, which subscriptions does he have, which electricity provider, does he pay contributions to clubs, does he receive child support, unemployment benefits, how often is he in the Minus?
This precious data is used by start-ups and fintechs. They rave about new offers, more convenient payment methods and services. For their industry, the new regulation seems to start a new era. The planned opening of the banking sector is just as disruptive as the liberalization of the telecommunications market: "The change is similar to the change from the old Nokia bone to the modern smartphone: I have not only the basic services, but many new apps that build on it," says Michael Salmony, digital banking expert at Equens Worldline, Europe's largest processor of payments and transactions.
To get involved, companies have to register with the Financial Regulator in a complex process. The requirements are strict, at least here in Germany with the Federal Financial Supervisory Authority. But the organizational effort does not deter: Meanwhile, 16 companies have registered in Germany, in early August, the Bafin also processed more than 40 other applications. EU-wide, more than 170 companies have been granted a license from the European Banking Authority. The companies may, if bank customers have agreed to tap the account information of the past three months.
The great interest shows what potential entrepreneurs see in the new regulation. Some fashion houses - which, however, do not wish to be publicly named - want to use the new data to expand their customer loyalty programs, for example: If the customer card user allows the merchant to check the account, the customer receives special discounts, for example. In return, the dealer knows which competitor the customer buys and how much money he leaves there. And who pays contributions to Greenpeace, for example, could recommend another bank investment in sustainable products.