Open banking may soon become table stakes for financial institutions (FIs) — they need to act now and be able to offer it securely or risk getting left behind.
Open banking connections enable third-party apps to provide more convenient, insightful and tailored services thanks to banking customer data. There appears to be strong demand for such services, too, with the global open banking market projected to increase in value at a compound annual growth rate (CAGR) of 24.4 percent between 2019 and 2026, hitting $43.2 billion.
Interest in such capabilities is growing during the COVID-19 pandemic, with consumers and business owners relying more heavily on remote services amid stay-at-home mandates. Many customers want access to convenient, digital financial solutions from FinTechs that are using open banking integrations to provide robust services. A European FinTech reported recently that customers used its apps 72 percent more in just one week. FIs that do not allow these FinTechs to work with them thus risk dissatisfied customers and may even find that some switch to competitors.
Other FIs are offering open banking out of necessity, with governments and regional lawmakers requiring its adoption and that consenting customers’ financial data is made available to third-party payment service providers. The EU’s revised Payments Services Directive (PSD2) requires FIs to securely offer up data about their customers to third parties, and Australia plans to enact similar laws this summer.
FIs therefore cannot afford to drag their feet on implementing open banking, but many may be concerned that third-party access to customer data will exacerbate security challenges. FIs may need to provide data to FinTech startups without dedicated cybersecurity teams, for example, which could then be more easily compromised by hackers who will steal sensitive bank customer data.
This month’s Deep Dive digs into such issues to examine how open banking forces FIs to confront new security concerns and how they can keep ahead of bad actors.
FIs that participate in open banking need to put safeguards in place so vulnerabilities in one third-party provider’s defenses do not put customers at serious risk. FIs must use highly secure methods to authenticate customers’ identities and make it difficult for cybercriminals that manage to steal customer information to pass themselves off as legitimate customers.
PSD2 was designed with such risks in mind, and its Strong Customer Authentication (SCA) provision — which takes effect in participating countries throughout 2020 and 2021 — compels companies to verify users’ identities with multi-factor authentication (MFA) whenever they attempt to access user accounts or digitally send payments.
MFA requires customers to prove their identities by providing at least two types of credentials. These can include entering something known, like a password; presenting something a user is, like biometric information; or presenting something a user has, like a mobile phone. Users could also enter one-time passwords (OTPs) texted to their mobile devices to fulfill proof of possession requirements.
FIs that combine multiple identity verification methods put up more obstacles for cybercriminals, who must then steal victims’ login details as well as their smartphones or find ways to intercept OTPs. The technology industry has already recognized MFA’s value, with Alex Weinert, group program manager for identity security and protection at Microsoft, stating in August 2019 that the company’s studies suggest accounts verified via MFA are 99.9 percent “less likely to be compromised.”
Robust authentication measures make it harder for criminals to gain access to accounts using stolen details, but FIs should also take measures to reduce the likelihood that bad actors ever gather individuals’ information in the first place.
MFA implementation is a good starting point for security, but FIs need to build upon it by employing additional methods. Educating account holders about threats can be especially effective in foiling phishing attacks, for example. Cybercriminals attempting phishing try to trick consumers and employees into clicking on links that download malware and enable fraudsters to seize control of legitimate accounts. Other schemes involve bad actors impersonating companies or individuals to fool users into handing over login details.
Malicious actors have been ramping up phishing attempts during the pandemic as consumers and businesses quickly transition to digital operations. Google reported that the number of phishing attacks involving fake websites rose 350 percent between January and March. Users may be more easily tricked at this time because they are adopting digital services they have not used before, which means they do not have experiences they can use as comparisons and are less likely to spot red flags.
Business owners accustomed to paper-based accounts payable (AP) processes might adopt apps that give them overviews of their bank accounts and payments statuses to try to digitize their departments while staff are working from home. Fraudsters are eager to exploit such unfamiliarity and can launch phishing schemes while pretending to be app providers. They ask users for their bank login information on the pretense of enabling the “apps” to offer open banking-enabled financial services and then use these details to enter users’ FI accounts and drain funds.
Banks and credit unions (CUs) can get ahead of these attacks by warning customers about such trickery and reminding them that no legitimate third-party provider would need bank login details. Best efforts to thwart phishing include communicating clearly and frequently with customers about new scams as they are discovered.
The financial sector is moving toward open banking as customers’ needs for convenient, robust digital services grow. FIs cannot remain competitive by sitting out on this movement, but they will also lose customers that they cannot keep safe. Adopting MFA and helping customers detect phishing scams can go a long way in enabling FIs to offer convenient open banking without adding greater risks.