Would you trust your bank to share your financial data securely? In an age where data breaches for the big tech companies seem to be an everyday occurrence, 48% of customers cited security concerns as one of the downsides of Open Banking.
Yet 40% believe the benefits of Open Banking – streamlined payment structures, a more extensive range of financial products and control of your data – make this disruption to the financial sector broadly positive and welcome the change.
The question is, can Open Banking meet security concerns while continuing to educate customers as to its benefits?
Open Banking uses application programming interfaces (APIs) to deliver fast and highly secure data transfer.
Unlike the screen scraping method dependent on you sharing your login details with an app, APIs allow you to regulate the data you share, with whom and for how long without ever sharing password information. This transfer of data can only be authorised by the user and cannot happen without their consent.
Only third party providers that are highly regulated are permitted access to Open Banking APIs. A third-party provider should:
– Be FCA (Financial Conduct Authority) authorised and included in the FCA register or Open Banking directory
– Redirect you to your personal or business account for online banking login and never ask for your password
The FCA is the independent regulatory body charged with overseeing Open Banking. All businesses in the UK financial sector work to FCA regulatory standards and guidelines.
For a third-party provider to access Open Banking APIs, they must undergo a stringent independent review to ensure that all processes, systems and security controls conform to the FCA’s standards. To retain authorisation, providers undergo regular security checks and FCA auditing.
To search for a business on the FCA register:
– Visit https://register.fca.org.uk/
– Input the name of the third-party provider
– Click ‘search register’
Information includes FCA status and registration number, permissions, regulators and brand or trading names. If the provider is not listed on the FCA register, then they’re unregulated, and your business could be at risk of fraud if you continue dealing with them.
Open Banking is considered a revolution in the way in which businesses and individuals can manage their money. But with the advent of PSD2 comes an enhanced threat landscape, with API attacks predicted to be a major vector by 2022. Attackers will exploit any security loopholes in the API to initiate a distributed denial of service (DDoS) resulting in transaction downtime.
Alongside unregulated providers and apps, other areas of risk within the Open Banking environment include:
– Transfer of trust
Customers are expected to transfer trust from established financial institutions and secure online banking platforms to a third-party provider with no history of combating fraud. The spread of data across the Open Banking API platform may leave it more vulnerable to fraud as banks struggle to spot issues in real-time.
– FinTech vulnerability
Smaller startups can’t offer the same level of security as a bank and could be ideal targets for an attack when in possession of customer data. Criminals may also mimic the FinTech companies in new style phishing attacks.
– Transaction data is high value
Attackers can use transaction data to study behavioural patterns, schedules, financial status and routines leading to exploitation by unregulated third parties.
– Coding standards
Poor or inefficient coding represents an API risk. Financial providers should seek assurances from third-party providers that their apps meet standards for best practice in coding.
– Inadequate security protocols
SSL authentication, XML and endpoints security are all potential weak points in the data journey. Data must be adequately secured at every step from storage, in transit, to use.
The answer is yes. If banks exploit Open Banking’s benefits for safe and secure transactions that add value for the consumer. There is a way forward to a more secure future in the Open Banking environment:
– Collaboration and standardisation
Open APIs drive collaboration not only between banks and FinTech but between financial regulators and government bodies to steer best practice and standards across the sector
– The customer is in control
Transparency is critical for third party providers seeking to build trust-based relationships with customers. These will be based upon openness as to how data is used, encrypted and secured.
– AI and improved protection
The start point may be robust Know Your Customer (KYC) standards, but AI may be the tool that spots unusual patterns in transaction monitoring, leading to more secure transactions for all customers
– Evolved authorisation
FCA oversight means that UK consumers can trust apps from authorised third-party providers. Customers have control over who accesses their data and for how long, knowing that data may only be accessed when they give their consent and authorisation
– Proactive cybersecurity
Next-level security actively seeks out weaknesses and vulnerabilities for threat protection that keeps pace with the attackers
The implementation of new technologies is often accompanied with risks as well as opportunities. But the benefits of putting customers in control of their money management and disrupting the market to promote new ways of working is too revolutionary to ignore.
All participants in the Open Banking ecosystem will have a responsibility to educate customers as to the benefits of Open Banking and to realign customer relationships with transactions that are responsive, safe and ultimately more secure.