Trust, risk, and regulation in open banking

Barry O’Donohoe at Raidiam navigates the security maze of open banking and outlines how regulation is affecting this

The digitisation of financial services has led to new consumer-facing fraud risks and cyber-breach fears for banks. The cumulative losses to online payment fraud globally between now and 2027 are predicted to exceed $343bn.

Establishing effective protections is about more than just protecting your business. It is about future-proofing it against mounting security risks to enable it to flourish and support innovation, while offering an excellent customer experience.

Open banking has revolutionised the financial industry by introducing third-party providers into the ecosystem, offering innovative services and greater consumer control over financial data. However, this shift also brings new security challenges that must be managed effectively. 

Security risks in open banking

The integration of third-party providers in open banking introduces new security risks compared with traditional banking systems. Historically, banks were the sole custodians of customer data, responsible for its protection and security. In open banking, however, multiple stakeholders can access and manage this data, increasing the potential points of failure. If a data breach occurs, it can become complex to identify the responsible party among the numerous involved entities, because no one party is holding up their hand. 

To mitigate these risks, markets have adopted stringent licensing and accreditation processes for new entrants to ensure they are in good standing. This includes verifying their privacy policies, risk management frameworks, financial stability, and customer consent management strategies.

Regulatory bodies also emphasise the importance of incident management, business continuity, and fraud prevention measures to ensure that all participants adhere to high-security standards. 

Several factors need to be considered, but ultimately it comes down to how a supervisory body, like a Central Bank or regulatory body, can sufficiently govern the entrance of new providers and ensure they can measure up against the requirements of operating in an open finance market.

Once a third party is regulated or licensed to engage in these activities, there tend to be standards that protect against security, privacy, integrity, non-repudiation and other security controls and measures built into the standards that are typically used for sharing financial-grade data. Banks, as custodians of the customer data, remain in control; they are ultimately the enforcement point.

Trust in open banking platforms

Public and business trust in open banking platforms is still evolving. One major hurdle is the lack of awareness and understanding of what benefits open banking delivers. In regions like the UK, awareness campaigns have not always been so effective at providing the “what’s in it for me” information.

The term “open banking” can be misleading because people generally do not want their bank accounts and finances to be open, as it may imply a lack of security or privacy. This is where markets like Canada have come up with new terms like “Consumer-Driven Banking”, which implies that consumers and businesses have the freedom to choose who they trust and want to interact with; perhaps most importantly it implies that they are in control. 

Improving trust requires better education and communication about the benefits and safety of open banking. Different messaging, such as the Canadian example, could help convey the empowerment and control it offers consumers.

Additionally, highlighting the enhanced digital services, cost reductions, and improved financial experiences can foster greater acceptance and trust. After all, customers don’t need to know what open banking itself is, they just need to understand the benefits and value it delivers and have confidence that adequate measures are in place to protect their data.

The ideal situation is that more people become aware through their networks and word of mouth, which will drive adoption and allow for transparent use, without them necessarily knowing that it is called open banking. 

Security of open banking APIs

Organisations such as ours promote security by working with standards bodies, such as the OpenID Foundation and its Financial-grade API (FAPI) Working Group. Open banking APIs are designed to securely transfer sensitive financial data between institutions and third-party providers.

Once a party is regulated and licensed, they must adhere to standards that ensure security, privacy, and data integrity. Banks maintain their standard security measures, including perimeter controls, defence-in-depth strategies and fraud detection frameworks. These controls enable banks to monitor and enforce security protocols effectively.

There are twelve major countries globally, and growing, that have selected FAPI as the baseline secure communications standard. This bakes in all the mechanisms for the security services that are necessary: for example, proving that the communicating parties are who they claim to be in the digital exchange, ensuring that the exchanges between those communicating parties occur on a mutually authenticated connection, and ensuring that data is secure and encrypted in transit. 

Consumer responsibilities

Consumers also play a crucial role in safeguarding their financial information. It is essential for them to regularly review and manage the permissions granted to third-party providers.

They should ensure that they regularly review relationships with third-party services and terminate those that no longer meet their needs or pose security concerns and vote with their feet. By staying vigilant and informed, consumers can protect their personal and financial data.

Regulatory frameworks and PSD2

Regulatory frameworks like the Payment Services Directive 2 (PSD2) in Europe aim to address the security risks in open banking. The European Banking Authority (EBA) developed Regulatory Technical Standards (RTS) that provide guidelines for strong customer authentication and secure communication. However, the RTS is principle-based and qualitative, and lacks specific technical API standards. This has led to fragmented implementations across different member states. 

Each country has adopted varying standards, resulting in inconsistencies that complicate market operations for FinTechs. This fragmentation undermines the uniformity and predictability essential for a well-functioning market. The UK’s approach, which involves well-defined technical API standards, has proven more effective, leading to a higher number of participating organisations and innovative services.

To enhance the effectiveness of PSD2, future iterations should focus on harmonising standards across member states to ensure a consistent and reliable implementation. This would simplify the process for FinTechs and improve the overall security and functionality of open banking systems.

Open banking presents both opportunities and challenges in the financial sector. Addressing the significant security risks, building public trust, ensuring the secure transfer of data, empowering consumers to protect their information, and refining regulatory frameworks are essential steps towards a secure and efficient open banking ecosystem.

By focusing on these areas, the financial industry can leverage the benefits of open banking while safeguarding against potential threats.

Barry O’Donohoe is Co-founder and CEO at Raidiam

Main image courtesy of iStockPhoto.com and peshkov