Reverse Engineering for Banking Apps: What, How, and Why?
27 August 2020
We now live in an age of open banking… in theory. As we approach the recently-extended compliance deadline for PSD2 on December 31st, we are facing two linked but clashing realities. One, that so-called 'open banking' will have huge benefits for consumers and corporate interests alike and will help usher in a mini revolution in the world of finance. And two, banks and financial institutions largely aren't prepared when it comes to consumer-facing software and applications. This obviously raises a few questions.
What is PSD2 and Why Do I Need to Know About It?
PSD2 is a European directive that focuses on hardware and software used on devices or cards sold or distributed within the European Union with the intent of processing consumer transfers and payments. Also known as Payment Services Directive 2 or EU Directive 2015/2366, the legislation's chief goal is in harmonising standards and security protocols across the board for EU citizens and businesses.
While, in theory, the full implementation of PSD2 on all platforms will lead to a more holistic experience and potentially heightened layers of security for all involved, moves towards compliance so far have been scattered and not clearly defined. So far, banks and other financial and tech institutions have yet to be presented with a unified API to be integrated universally across applications. This is unusual in EU legislative guidance and so has left many to do the groundwork themselves. This has resulted in an interoperability issue.
Good question. Interoperability is the word we use for things that work together in harmony, simply and effectively without any needless barriers. In this instance, a positive interoperability outcome would be that banking applications and other software-based financial transaction portals work seamlessly together based on secure mutual protocols and don't require more authentication steps than are necessary in connecting one trusted platform to another - providing they have already been granted initial authorisation by the consumer within a given time period.
This interoperability is what PSD2 hopes to achieve, but without a unified API to connect all relevant software and architecture issued by a competent EU authority, each individual player is left to tackle the interoperability problem on their own.
Enter Reverse Engineering
The advice any developer will give when presented with an issue around operability is 'get back to your code'. And that's largely what banks and other institutions have been doing. To better understand the functionality of one another's application architecture, and therefore take steps to become mutually compatible, institutions must reverse engineer their counterpart's software and comb it for potential points through which seamless interoperability can be established.
Effectively, this reverse engineering allows one bank or institution to freely access its counterpart's member data (pending the approval of every given member in question) on a user level to more effectively process, track, and log transfers for better data and operations oversight at all levels.
Is this easy? Yes and no. It depends on whether or not you know what you're looking for and how much access to each platform's code you have. At the moment, as it is an official EU compliance issue and therefore not optional, banks and other institutions are decidedly proactive in the matter, meaning those assisting in the reverse engineering effort (like us!) have been able to negotiate their way through solving interoperability issues with relative ease. Without this openness and readiness to change and consult on application architecture, the task would be exponentially more difficult.
It's understandable that banks and other trusted financial bodies would be naturally cagey around anything related to their architecture. There's an inherent trust issue and obligation to the consumer there that they can't risk. But the simple fact is that by December 31st this year, everyone needs to be in full compliance with PSD2 and that means having all software and applications at a reasonable level of interoperability.
Is There A Benefit to All This?
Approaching PSD2 compliance sounds like a horror show, but it isn't. At the other end of compliance lies no end of benefits for both consumer and institution. There are of course the positive security implications the protection a harmonised EU-wide standard would have for both consumers and business operating within the European marketplace. But in a wider sense, interoperability also offers far greater insight into transaction and payment-relate trends: it will help banks in better understanding individual's financial history which makes for more effective risk management; it allows businesses more agency in processing and confirming things like payments and invoicing; and it can even give shoppers greater insight into their own personal habits which can allow for more control over how they go about spending their money - in some instances it's even been allowing online storefronts to offer consumers a discount on products based on their transaction history. In all, it empowers those at every point of the financial transaction process to get more from the experience.