Mobile Network Operators and UK Open Banking – Role of Password-less Multi-Factor Authentication and 5G Network Slicing (of course)

In 2017, 22 million people managed their current account on their phone which is predicted to increase to 35 million customers using mobile banking applications by 2023. The mobile phone, rather than internet or retail banking, is also the de facto standard for mobile banking services with more than 250 million Apple Pay users.

UK Open Banking is intended to create a FinTech market similar to a 1980s consumer credit boom by decoupling the underlying bank from the service provider. Open Banking promotes an aggregated single view of all of a customer’s accounts in one place as well as aggregated personal finance and debt management tools. This creates an opportunity for the Mobile Network Operator interested in providing financial services without undertaking a full banking licence.

Open APIs and security are critical to Open Banking. The Open APIs enable third-party developers to extend the services of financial institutions. Open Banking effectively supports and extends the European PSD2 directive, how non-Brexity!. In Open Banking, the UK CMA introduced rules that mean that banks must allow the customer to share their financial information with other AUTHORISED providers. These are known as Account Information Service Providers (AISPs) and are regulated by the FCA. This requirement creates an opportunity for the Mobile Network Operator to either become a Mobile Banking AISP and / or to be a more general provider of Security Services to AISPs and Banks. Both options benefit from specific technologies that the MNO can provide. These include:

  1. a 5G Network Slice dedicated to “Mobile Banking”
  2. the exposure of Risk Evaluation services based on fraud prevention and location data
  3. the implementation of Passwordless Multi-Factor authentication service

Network services that increase the quality and security of mobile banking

Users of any service do not like service continuity issues. This discontent is greater when the interaction is form based and stateful; and the worry is higher if the session drops during a mobile banking transaction. For example, it can be peeving when session interruption affects transferring money whilst in the back of a taxi on the way to an airport. Mobile applications can handle session management issues more gracefully than mobile browsers. Nevertheless there will always be customer dissatisfaction associated with session drops when using mobile banking services.

5G provides improved session and service continuity. One of the key features of a 5G data service is session and service continuity, it ensures uninterrupted service experience to the user regardless whether there is any change of UE (User Equipment) IP address or change in the core network anchor point (4G LTE evolved packet system only provides continuity of IP session). This means that the Mobile Network Operator can provide a chargeable “Mobile Banking” Network Slice; or consume the service itself as a Open Banking service provider.

A 5G Mobile Network Slice dedicated to “Mobile Banking” can also provide enhanced user security as unique security parameters can be defined for network slices individually.

Multi Factor Authentication mechanisms provided by the Mobile Network Operator

The MNO can provide enhanced security based on location based services (subject to GDPR & customer approval). The MNO can provide a risk score based on location of the customer.

The Mobile operator knows through the National Device Register if the device has been stolen. The MNO can provide improved 2nd and 3rd Factor authentication protection through the Equipment Identity Register.  This is important as finger print spoofing is a known and achievable process; and an amputated digit injected with Botox will continue to provide a useable finger print for two weeks!

Mobile operator understands the roaming likelihood and can quantify the risk Matching spend and location reduces fraud. Hence the Apple Pay contactless system does not have a £30 limit. In fact it is even safer as a physical card can be cloned and a four digit pin can be noticed.

The MNO can also wrap 2nd and 3rd factor authentication into its mobile app as an identity provider in the Open Banking universe. And it can provide commercial Risk and Location based APIs consumable by Open Banking service providers.

How Open Banking Implements Multi Factor Authentication and Strong Customer Authentication

UK Open Banking can implement Multi-Factor Authentication including Passwordless authentication mechanisms as part of Account Information Service Provider and Payment Initiation Service Provider flows. UK Open Banking uses OAuth 2.0, OpenID Connect and the Financial API specifications from the Open ID Foundation. This extends the PS2 OAuth 2.0 flow where the providing bank must use Strong Customer Authentication to authenticate the user.

This can be a Username / Password combination or a higher factor of authentication. More interestingly this can also be Passwordless (finger-print recognition) authentication by seamlessly pushing authentication to the bank’s mobile app (if on a mobile device). Alternatively this push can be to Account Information Service Providers’ authentication service.  The Mobile Network Operator can be a UK Open Banking Account Information Service Provider using a 3 Factor authentication in a single passwordless action supplemented by the MNO’s own location based and fraud detection services

Use of Open Banking in the Internet of Things

The Mobile operator can also support an AISP model when supporting consumer Internet of Things propositions. As an example, the consumer with a listed Airbnb property that includes a number of smart devices may choose to manage the IoT contracts through a separate bank account whilst managing all their accounts through a single AISP. This creates a nice up-sell loop for the Mobile Network Operator providing AISP capabilities alongside IoT propositions.


Trust is critical for the success of mobile banking. Security breaches can lower the adoption of online banking services. The most effective mobile banking service is the one that integrates all of the available security tools together. This is one that the Mobile Network Operator already does well and can do better with 5G Network Slices and the use of Passwordless 3 Factor Authentication.

Good Data Governance is required to gather and store customer consent as part of Auditing phase of implementing Open Banking. The flow to secure the relationship between the Bank and the Open Banking provider must be Multi-Factor Authentication mechanism. The only way to make mass market 3-Factor Authentication any stronger is to utilise the MNOs location services.

Finally, Mobile Networks Operators have historically made poor banks but with Open Banking they do not need to take that long step. Instead they can aggregate their customer’s existing banking providers through Open Banking.

Mobile Operators Guide to European Payment Services Directive

European Payment Services Directive 2

The European Payment Services Directive (PSD2) will be transposed into member state law by 2018 and will have a transformative effect on nation state and cross border electronic payments. The Directive aims to increase the convenience of security of electronic payments. This is achieved by promoting payment innovation, for example by Open APIs, and by deregulation of financial service roles. PSD2 will allow new payment service providers to enter the market. Technology firms and mobile operators may be the greatest beneficiaries.

The Directive will transform the way users access their bank accounts during digital commerce. For example, the user may choose a mobile network operator’s payment mechanism as part of a contactless payment.

Opportunity for Mobile Operators

PSD2 mandates the use of robust authentication standards. Any technology provider with authentication and authorisation capabilities can take advantage to PSD2.

The advantage for Mobile Operators is their ability to support network authentication and service location functions. These functions are all particular to mobile networks, making operators a valuable partner in the development of new identity and authentication solutions.

  • 100.1 million contactless credit & debit cards in issue in the UK (Q1 2016)
  • £39.2 billion – UK domestic spending on debit (October 2016)
  • £2,903.2 million – UK contactless card spend (November 2016)
  • £249.9 million – payment card gross fraud in the six months to (June 2016)
  • 12 million Apple Pay monthly users globally (Q1 2016)
  • 71% – proportion of UK adults with a smartphone (Q1 2016)

Electronic Identification and Trust Services

Electronic Identification and Trust Services (eIDAS) regulation is a tenet of the EU’s Digital Single Market. Mobile Operators have already launched pilots for eIDAS compliant cross-border authentication solutions for the use of public sector services.

PSD2 together with eIDAS give a unique opportunity to operators to support identity for both the private and public sectors. This identity management capability will be critical to all Open APIs in any new PSD2 mobile banking platform.

Some likely use cases

The freedom to “delegate” bank account access is the first major shift that users will see. Under PSD2 an account holder will be able to allow a licensed Payment Initiation Service Providers (PISP) or Account Information Service (AISP) access to their bank account for the purposes of initiating a payment or evaluating the user’s ability to pay.

Online commerce is likely to become simpler through such rules as it will allow all banked consumers to buy online using just their bank account, removing the reliance on debit or credit card ownership. This represents a leap forward for consumer and merchant alike, since direct bank transfers can typically clear in two hours or less with some services offering instant settlement.

Discounts for mobile cash?

For merchants wanting to ease cash flow this is a benefit and service for which they may be willing to offer incentives. Direct bank transfers and instant settlement provide simplicity for the user and immediacy for the merchant that may be equivalent to when merchants offered “discounts for cash”?

The power to delegate bank account access is set to trigger major changes in the way digital commerce is conducted. The appearance of new innovative payment services that rely on the powers conveyed by PSD2 is highly likely; as is the anticipated reaction from traditional card schemes whose profitability may well be curtailed by PSD2’s cap on interchange fees and merchant surcharging. Either way the consumer will benefit.

Payment security

With increased openness comes issues that relate to “security”. To address these PSD2 is demanding the use of strong authentication. The European Banking Association (EBA) has been tasked with defining a standard that achieves this and first drafts are out for review now. From the application designer’s perspective traditional authentication systems that employ one time passwords (OTP) or static personal identification numbers (PINs) may be deemed unfit for use within future digital commerce applications as the banks and other service provider’s latch on to the EBA’s regulatory technical standard.

The EBA is asking for two factor authentication where the user has to be in possession of two things, for instance, a password and an access token to prove their identity. Mobile phone based services like GSMA Mobile Connect will become more prevalent in the future digital market. Advances in smart phone will also increase the use of biometrics as an authentication factor..

Direct Carrier Billing

All the impacts of PSD2 will not come just from easier access to bank accounts or added security. PSD2 has tightened the rules on Direct Carrier Billing (DCB). Consumer accustomed to buying digital content via their mobile phone and charging it to their phone bill will see their options curtailed.

Under PSD2 single DCB transactions will be capped to a maximum of €50 per transaction with a maximum monthly limit of €300. PSD2 continues to allow Electronic Money Institutions (EMIs) to extend the reach of DCB from digital content to the purchase of physical goods.

Mobile Operator Opportunities and Partnerships

Mobile Operators have a PSD2 advantage through service location functions and authentication. SIM & eSIM based authentication can be extended to provide security for customers and merchants by implementing Electronic Identification and Trust Services. With 5G, new network slices may be able to provide a Quantum Encryption Network Slice that would guarantee merchant to bank transactional security.

The greatest opportunity may be through partnerships. The GSMA Mobile Connect and mobile payments projects are likely avenues for greater partnerships. The advent of contactless payment cards in the late 2000s saw early attempts by UK mobile operators to act in partnership as a bank. The advantage of PSD2 is that it removes the requirement for mobile operators to become banks as they can instead focus on interactions with payment processing companies.

Finally any potential European Commission regulation on Anti-Trust on mobile device payment solutions could further open the market for mobile operators (or mobile industry bodies) to provide payment solutions. Such a change in regulation may allow the handset vendor to offer their services as part of the initial contract sale.