Gabi James - 1st Sep, 2022
Here we take a look at the security features of A2A (account-to-account) payments, also known as ‘easy bank transfer’, ‘pay by bank' and 'instant bank payments'.
In a world where scams, fraud and cybercrime pose a real threat to our financial data, we’re right to be safety-conscious before adopting a new payment method. So what measures are in place to ensure Open Banking A2A (account-to-account) or instant bank payments are safe for users, and are they as secure as other payment methods?
When you make an instant bank payment, you are automatically handed over to your existing mobile banking app or online banking interface to securely authorise a transaction. If you’re on a mobile device, you’ll notice that your existing bank app opens on your phone, and you follow the mobile banking log-in process you’re already familiar with. The payment amount, recipient and frequency are clearly displayed for you to approve, just as they would be when you're making any bank transfer.
What does this mean for security? It means your bank itself is handling the transaction, taking advantage of the banks’ already established security measures, which are independent of third parties.
In short, instant bank payments powered by Open Banking are as secure as the banks themselves.
When you pay by credit or debit card on a shopping site, you're directly sharing sensitive payment details such as your card number, expiry date and postcode etc. with a third party. This means your payment details are being stored somewhere other than your bank. In the UK, companies asking for your card details are highly regulated, but as a general rule, greater exposure of personal data means greater risks. We perceive card payments as safe, and in general, they are. But fraud losses on UK-issued cards totalled £574.2 million in 2020.
In contrast, when making an A2A payment, you aren’t sharing card details or bank login details with a third party. That part is left to your bank. With A2A payments powered by open banking, a third party can only connect you to your bank or building society. It’s then up to you as the customer to review and securely authorise the transaction. This means sensitive data is kept safe with your bank, reducing the risk of data breaches.
Instant bank payments keep consumers in the driving seat. Explicit consent must always be obtained before initiating a payment, and at any point afterwards, consent to initiate any further payments (clearly defined at the outset) can be revoked. One of the main goals of open banking is to give consumers much more control over their financial data.
When you make an instant bank payment, the initiation of the payment order is usually handed by a Third Party Provider (TPP). In the same way, when you pay by card, the business you're paying is usually partnered with a credit/debit card payment provider. Just like card payment providers, Instant bank payment providers have to follow strict rules and stringent standards to keep your data secure. They must be approved as a ‘Payment Initiation Service Provider’ (PISP) by the Financial Conduct Authority (FCA) in order to function. The FCA also regulates banks and other financial service providers in the UK. Before approving any provider, the FCA makes a comprehensive assessment by examining the business plan, systems, resources, risks, budgets, controls and staff. Providers must also pass ongoing checks to retain their authorisation.
You can view the directory of FCA-approved payment providers here. Instant bank payment providers must also adhere to the payment service regulations laid out in the Payment Services Directive (PSD2). They are also required to meet the requirements of the GDPR (General Data Protection Regulation).
Open Banking payments inherently support Strong Customer Authentication or SCA. SCA is a requirement of the Payment Services Directive (PSD2), designed to reduce the risk of a fraudster pretending to be you and stealing your money. SCA must now be applied to various payment methods in the UK, including card payments and A2A payments. Banks must ask their customers to verify their identity before making a payment. For card payments this step is added at the end of the process (after entering card details and submitting the payment). With instant bank payments, SCA is built-in, occurring at the point of payment authorisation (in your mobile / online banking app). For shoppers, this means the same anti-fraud measure with less hoops to jump through. Less friction at the checkout.
Our perception of card payments as ‘safe’ is related to our familiarity with them. Most of us use this payment method regularly, without any issues, and that reinforces them as a reliable and trusted payment method. Card payments are one step removed from our bank accounts, and in a way they ‘feel’ safer because of this.
However, whilst instant bank payments involve you logging into your banking service to authorise a payment, they do not involve giving anyone access to the account itself. As with card payments, they simply allow a business to take payments of an agreed amount / schedule. The retailer cannot log in to your online banking, or act on your behalf. They can only ask your bank to initiate a payment and this relies on your explicit consent. The initiation of the payment request can only happen through a request to your bank, using your bank’s secure API. Data shows that once consumers have tried an A2A payment, most of them use the payment method again at a later date.
As consumers, we are all responsible for taking some basic precautions to protect ourselves from fraud and scams in general. That includes using trusted and secure websites, and knowing how to spot potential scams.
The adoption of instant bank payments is accelerating in the UK. Several well-known brands and like Emirates Airlines have already begun to offer instant bank payments to their customers. HMRC even supports them as a way to pay your taxes. As well as being a secure way to pay, instant bank payments reduce friction at the checkout and is significantly more cost-effective for businesses.
We can draw parallels with the adoption of contactless card payments. UK retailers like supermarkets and even transport networks like TFL began promoting contactless payments as an easier and faster way to pay. Consumers also drove adoption by telling others who hadn’t tried it yet just how easy and friction-free the experience was. In the same way, when it comes to Open Banking payments, retailers are beginning to promote Instant bank payments to their customers, and customers are naturally becoming advocates when they see how much faster and easier it feels.
To see just how easy an instant bank payment is, why not make a charity donation through Wonderful? Wonderful uses instant bank payments to ensure UK charities can receive donations without fees or additional costs.
A2A payments are powered by open banking, a UK government-backed scheme that puts consumers in full control of their financial data. Open banking also powers another type of service called 'Account Information Services'. These services allow us to securely authorise our bank to share specific financial data (such as our transaction history) with a third party. While this data is shared securely by your bank, in contrast with making an A2A payment (a Payment Initiation Service) there is a lot more data being shared. So as ever, when it comes to sharing our financial data we must take some basic precautions, including only sharing information with trusted businesses and using regulated providers of financial services. Find out more via Open Banking.
Read more
