Compliant Banking-as-a-Service for VISA in Europe
BPCE had acquired a number of fintech startups, the BaaS being part of its partnership with VISA, and was trying to make them comply with EU regulations: in particular DSP2, AML5 and GDPR. That's when we kicked in.
The Cards' business is not slowing down despite the adverse predictions. Neobanks are trying to reach the market each with its specific differenciator, but all afull-dvertize their credit card. Xpollens was the answer VISA chose to deliver, partnering with BPCE, facing its competitor Mastercard's Treezor, hosted within Société Générale.
Neobanks have a light banking licence, usually restricted to basic financial services, and rely on a full fledged bank providing them the required banking services in the back-end. All the technicality is concentrated in one entity : the full-fledged bank, while the differentiating service is entirely created and managed by the neobank itself. GoogleWallet / AppelPay ? The neobank can only comply if the full-fledged bank behind it has implemeted the connectors. The same goes for KYC and in-app strong authentication: and that is what we delivered.
Know Your Customer: Facial Scan 24/7
Customer acquisition is a critical KPI for neobanks. Cost per new customer as well as the on-boarding easiness and speed is of utmost importance. After a thorough RFP, a compliant facial-recognition partner was selected and implemented inside a webapp and API.
A tunnel of a few screens is then played inside any mobile app, and the identity of the neobank's prospect can be checked by the compliant partner. The partner then picks up the identification request within seconds, and is committed to taking a decision within the next 3 minutes. And this, 24 hours a day, 7 days a week. Fraud detection, at this stage, is of utmost importance: fraud networks, known fraudsters, fake IDs, ... : this KYC check is absolutely crucial for banks.
That is how neobanks acquiring only a few customers per month can already access cutting-edge technology and top-notch 24/7 service: their volumes are massified with all the identification requests of all the other neobanks of the full-fledged bank behind them.
2FA: Strong Customer Authentication
Maybe you remember this SMS we used to receive when paying online. Hackers have found a way some years ago to get this code on your phone and use it without your consent: in-app notifications are more secure.
Another thorough RFP was launched, to find a reliable cryptography provider. This time, integration used API and SDK: the secure code packages enabled strong cryptography inside the mobile-phone of the end-user. To ensure seamless on-boarding, the secure encryption and binding of the device occurs at the same time as the KYC: by linking both steps, the bank obtains a certainty of matching bnijectively verified-identity and secured-device.
Using this strong security, we could unlock many highly-sensitive features directly inside the SDK. This enabled all neobanks to display Card PIN codes, for example, in a manner that ensured total end-to-end encryption of the code from the Card manufacturer to the mobile phone screen. No-one in the middle has any knowledge of this code, not even the full-fledged bank.