As a result of the passage and adoption of open banking regulations, like PSD2 in Europe, banks and other financial firms are sharing data more freely than ever before. The greater availability of data gives financial institutions (FIs) and FinTech firms alike insight into customers’ behaviors, habits and preferences, allowing them to develop more effective tools, products and features.
While these initiatives are spurring more focused financial services innovations, they also come with challenges. This is particularly true for legacy FIs, as they must now allow third parties — once considered competitors — access to customer transaction histories and other information, and give FinTech firms the ability to initiate payments from customer accounts to pay for goods and services. These initiatives could also lead to an increase in security risks, since sharing data among a range of financial service providers creates new opportunities for it to fall into the wrong hands.
In this Deep Dive, PYMNTS examines the authentication challenges posed by PSD2 and other data sharing initiatives, and the security risks that may be lurking in open banking systems.
Adapting To Open Banking
Open banking regulations, like PSD2 and the European Union’s (EU's) General Data Protection Regulation (GDPR), have caused a significant shift in several elements of the security and risk landscape. These pieces of legislation introduced new rules about how companies and entities address issues of accountability, documentation, privacy reviews and design, and also impose high fines for non-compliance.
Banks must now allow consumers access to third-party digital banking tools and products, which could reduce the amount of transactions performed through its own channels, likely having a negative impact on the collection of customer data — many banks use this data to distinguish between legitimate customers and phony transactions. That wouldn’t just impact FIs’ digital fraud-fighting capabilities; FinTech firms often rely on bank security and authentication tools to help validate customer identities, too.
New open banking tools mean new types of financial transactions, which could make fighting digital fraud even more difficult for banks. Since FIs are unfamiliar with these emerging transaction activities, it becomes challenging for them to adjust their cyberattack detection and prevention strategies.
Many digital fraud detection and prevention tools must be refined and trained for a period of 18 months to 2 years before they become familiar with the types of cybercrimes that come with those transactions, and how to stop them. As a result, banks would do well to implement proactive account and transaction monitoring to guard against cyberattacks. They should also block access to unauthorized or fraudulent third-parties, provided they have evidence of an illegitimate transaction.
The resulting transactions brought about by open banking aren’t the only digital fraud concerns for banks. The very tools used to transmit customer data could also pose a cybersecurity risk.
In the wake of new open banking regulations, companies have begun relying more on application program interfaces (APIs), which allow banks and other companies to share customer data. These tools offer transactional and payment capabilities, providing not only a backbone for many current open banking offerings, but a new attack surface for cybercriminals.
Digital fraudsters could target data as it’s being transmitted by APIs. If those attacks are successful, cybercriminals would acquire unauthorized customer data that could possibly be used in an account takeover (ATO) or another form of cyberattack.
The risk of attack can be mitigated by following a sound API architectural approach, one that integrates security requirements and tools into the API itself. By adding more layers of fraud protection and authentication to APIs, banks could potentially integrate features like access control and threat detection directly into data-sharing offerings, allowing them to be proactive, rather than reactive, when it comes to securing APIs.
The Future Of Open Banking
Banks, FinTech firms and other financial services firms would be wise to invest more time, effort and resources into open banking security systems. Consumers have already latched on to open banking offerings and applications, using such tools more than 1.2 million times in June 2018 alone — up from 720,000 uses per month prior. The market is projected to be worth more than £7 billion ($8.98 billion USD) by 2022, creating further opportunities for new or increased revenue streams as consumers continue to adopt tools and products that rely on these capabilities.
As the number of open banking products in the marketplace grows even more, making sure they’re secure will become crucial for both traditional FIs and new financial players. These companies should begin adopting API architectures and proactive monitoring capabilities to protect customers and assets alike.