Open banking in the digital era: safeguarding and security
Table of contents
It might feel like everywhere you look, you see open banking services. But did you know that only a tiny percentage of open banking service providers are actually mandated by regulation?
This leaves the majority of financial services providers with a long leash and no set rules, generating various weaknesses in safeguarding customer data. The lack of standardisation could be the reason for more than 4,100 data breaches in businesses last year (and that’s only the publicly-disclosed number).
The need for more robust security measures and stringent regulatory requirements is clear. In this piece, we’ll offer up a framework for businesses that want to harness open banking in order to protect customers’ data in a bulletproof strategy.
The regulatory landscape
Technically speaking, the OBIE’s roadmap only strictly applies to the CMA9:
- AIB group
- Bank of Ireland
- Barclays Bank
- HSBC Group
- Lloyds Banking
- Nationwide Building Society
- Northern Bank
- The Royal Bank of Scotland
- Santander
The regulation states that this group must implement common standards, such as for an open banking API. The aim was to generate a minimum threshold for quality across the nine providers and facilitate widespread, secure data sharing.
Alongside this, the payment services directive 2 (PSD2), mandated strong customer authentication (SCA) and secure communication practices. But for all other companies, there are no open banking standards to apply which has led to the deployment of poor APIs, a lack of support, and the exploitation of customer data.
Security considerations for open banking
While the safety of the technology itself and the data that can be accessed are two key factors, here are some other open finance security considerations to address:
- Data collection and privacy
- Data sharing
- Data protection
Data collection
Data collection is necessary for many organisations in order to target customers with relevant offers. And thanks to the GDPR, data collection rules are already well-established.
So the idea of consent then becomes important. On every website, visitors must accept or decline the collection of cookies, for example, which are little bits of information that might be collected and shared. This “yes or no” option is an example of consent management - a practice necessary in open banking too.
But who has time to read the terms and conditions?
97% of young people never read ts and cs, so even when open banking providers share their data collection agenda, customers can’t give their informed consent. It means that even where banks make their terms explicitly clear, it’s unlikely that customers will take the time to comb through the small print and fully understand what they are signing up for.
Thomas Purton, Product Manager at Bud tells us about a mini experiment that the company ran, “after asking customers to read through a summary of their data collection preferences, we quizzed the customers on what data this would be. We found that even when customers read these documents fully, reports varied due to differences in the way we all interpret words and phrases.”
So filtering through this consent management issue became more important. Here’s how:
- Sharing preferences: how can customers decide who gets to access their data? How simple can we make this for customers?
- Portability: do customers agree to data sharing? How is data encrypted to protect it while sharing?
Data protection and privacy
Data privacy has been growing in its importance as the public become more sceptical over storage methods, particularly due to infamous data breaches such as Equifax’s credit information breach in 2017, affecting almost 150 million customers.
One of the more robust methods to prevent unauthorised access is SCA, requiring customer verification every 90 days with a two-factor authentication (2FA) log-in. SCA has been hailed as the reason why 73% of businesses noticed a reduction in fraud since it was implemented.
Building on SCA, open banking facilitators can place access controls over collected data. At Bud, for example, this means that even employees can’t see what data belongs to who, reducing the risk of internal fraud. Data anonymization, as it’s known, protects the identity of individuals through secure encryption.
Bud encrypts data at rest and in transit, locking it against a customer ID and customer secret. In fact, financial institutions can employ several techniques to protect sensitive customer information while enabling open data sharing.
One method is data anonymization but data fields can also be protected through hashing, tokenization, and salting to obscure actual values. Restricting data access to authorised agents and closely governing security processes and infrastructure further safeguards data.
Additionally, minimising data collection to only essential fields, and isolating open banking data from core banking systems contain potential threats. By prudently implementing multilayered data protection measures, financial services can uphold stringent anti-fraud standards while embracing open banking innovation.
This balanced approach allows customers to reap the benefits of open finance products, while mitigating risks of fraud and data misuse. Thomas says, “when enriching customer data like transactions, we filter all information for personally identifiable information (PII), such as someone’s name. The model anonymises information to protect personal data for third parties and even internal employees here at Bud”.
Data sharing
Banking APIs are one of the most prominent features of the OBIE, since they facilitate the sharing of data from a financial institution to third parties, and vice versa.
In terms of API security standards, there are two prominent standards to help financial institutions maintain best practices and prevent the above scenarios:
- OAuth: meaning Open Authorisation, this protocol proves customer identity to third parties without the need for passwords. The framework relies on tokens to provide apps with dedicated access to an individuals’ personal information.
- OpenID Connect: this is built on top of OAuth, and redirects customers when they try to log in to new services. By redirecting to the Open ID portal, there is no need for third parties to store passwords or customer information (therefore reducing the risk of a significant data breach)
Thomas tells us about how Bud maintains best-in-class security standards for data sharing on top of the above frameworks, “each bank publishes a series of endpoints about a customer, like accounts, direct debits, standing orders, parties information (contact details) etc. We can focus on endpoints to only ask the bank to share what needs to be shared, and we’re only asking the client what they need for their use case.
It means that if you really need a customer's name as part of your data, we can access the parties information endpoint. But if you don’t need it, we can leave it with the bank.”
Challenges in open banking: fraud
Fraud could be the biggest challenge to any party involved in the open banking ecosystem. This is primarily due to greater customer data sharing than ever before, and the mismatch in operational standards for unregulated companies. Fraudsters have lots of opportunities to look for weaknesses among open banking protocols and exploit these to syphon off personal information.
Here, three factors are key:
- Fraud detection and prevention strategies
- Incident response planning
- Anti-fraud mechanisms
Fraud detection and prevention
Open banking users should apply fraud detection measures like behaviour analysis and anomaly detection. Using AI programs to establish “normal” customer behaviour, it should be easier to identify suspicious changes.
But many institutions have already been using these methods for years, and while UK institutions prevented approximately £1.6billion in financial fraud attempts in 2020, over £783 million still fell through the cracks.
So, the gold standard for fraud detection and prevention is the ability to authenticate your customer in real-time, as they initiate an open banking payment. By monitoring transactions, institutions can validate parties' information against the databases to ensure that details like account name and address match up. Then, prevention of fraudulent payments becomes easy as your platform automatically blocks payments where the details don’t match up.
Incident response planning
In some cases, fraudsters will still manage to slip through the cracks if they can find a new flaw to exploit. For example, there was a huge rise in authorised push payment fraud in 2020, costing approximately £479 million, as criminals took advantage of the influx in remote finance activities.
In these cases, robust incident response planning is key. Importantly, financial institutions should follow best practices for data breach management, such as:
- Following notification protocols: by law, institutions are required to inform the FCA within 4 hours of a data breach being discovered and 72 hours for the ICO.
- Containing the breach: do what you can to secure your data without affecting normal operational efficiency where possible
- Assessing new risks: when anyone accesses your data, new risks emerge like identity theft or phishing. It’s important to evaluate these risks and develop strategies to prevent them
- Communicating with customers: in order to maintain transparency, it’s important to inform customers that their information has been accessed, and give them advice on what to do next, such as changing passwords
Despite the initial fallout, it’s the long term reputational impacts that could cause the most problems, since trust and transparency are likely to be damaged by a breach. In these cases, businesses must prioritise rebuilding their relationships with customers and promoting their own accountability in order to maintain customer confidence.
Anti-fraud mechanisms in open banking companies
In order to maintain good practices, building an organisation’s culture around security is key.
As part of being regulated, employees from all firms must complete their compliance training at least once per year. In fact, training sessions can reduce susceptibility to phishing attacks from 60% to just 10% across a one year period. As training sessions refresh an employee’s knowledge of fraud techniques, it also increases the organisation’s overall sensitivity to suspicious activity.
Of course, for regular anti-fraud training to occur, a buy-in must come from the top. That means creating a culture to value security across the entire company and holding regular security assessments to identify and strengthen any weaknesses. Industry-wide collaboration between companies can also promote best practices and enable security leaders to close any knowledge gaps.
This team approach to open banking security is much more effective than a reactive attitude.
Emerging solutions for open banking security
The growing advancements in blockchain and AI will bring advanced analytics to the forefront of safeguarding in open banking.
But Thomas believes that AI transaction monitoring will play the biggest part in combating fraudulent access to an individual or business’ financial accounts, “by constantly recording spending actions to establish a normal pattern, it will become much easier for institutions to block a suspicious payment in real-time before it goes through.”
Even as the regulatory landscape continues to evolve, we at Bud are excited to see AI transaction monitoring become mainstream. While it has long been reserved for businesses and merchants, we’re looking forward to the public benefitting from this technology.
As merchants continue to prioritise customer data protection, the power of open banking will only grow. If you’re looking to get involved and reap the rewards of this flourishing landscape, get in touch with our team at Bud today.