Yes, to some extent you can use the information retrieved through our API in order to perform customer verification and identification. However, Instantor is not equivalent to strong authentication.
In our data aggregation process, we retrieve data from the bank about the end-user. These data points could include social security number, name, address, phone number, and other personal information about the end-user if these are made available by the bank.
In relation to the European regulation through PSD2 (Second Payment Service Directive), there is a new requirement regarding verification of customer for financial engagement. One of these is the so-called strong authentication.
The lately dictates that for a user to be verified correctly, institutions need at least two of the following information:
- Something that only the user knows, e.g., static password, code, personal identification number
- Something that only the user possesses, e.g., token, smart card, mobile phone
- Something the user is, e.g., biometric characteristic, such as a fingerprint
Since Instantor is an AISP (account information service provider), it relies on the bank’s method of verification to authenticate the customer’s access to their bank account. Therefore, it is not Instantor who technically is doing the verification of the customer. However, to the best of our knowledge, the information retrieved from the digital bank account can be used for identification purposes since the bank has had these verified when the customer initially opened up the account.
Strong authentication is successively being implemented by European banks for customer authentication, though by various speed and means. One successful case is the Mobile Bank ID in Sweden. Here you can read more about this successful case: https://www.bankid.com/en/.