Cybersecurity threats are everywhere… and keeping up with them is hard. Malware attacks, data breaches, and fraud continue to pose financial and reputational risks for established and scaling organisations. And, now more than ever, security leads the conversation when it comes to launching a new product, complying with legislation, or selecting a partner to work with.
So, what role does open banking play in solving these challenges?
Open banking began as a response to evolving security threats
Modern open banking can be traced back to changes in security threats in financial services.
When online banking arrived in the early 2000s, customer bank data existed on the internet for the first time. This opened new opportunities to digitise other kinds of financial services. But, the main problem (which still exists today) is how to access this highly sensitive data.
Enter ‘screen scraping’ - an inelegant way to solve, or rather workaround, this problem. Screen scraping involves a third party programmatically ‘scraping’ raw data from the screen of a website. Typically, this is useful for aggregating and normalising data across a number of different sites, for instance, product or price comparison.
When this data is in the public domain, screen scraping makes sense. But our personal, highly sensitive data? Absolutely not, and here’s why…
1. Online banking is protected by at least a username and password
For a third party to gain access, we would have to share this security information, and we’re definitely not doing that since it’s fraught with risks for everyone.
For the account provider, it’s difficult to reliably tell who is accessing the account given that, in practice, the access looks identical. For the user, they have to figure out the legitimacy of the third party - one wrong move could mean handing over your login details to a bad actor.
And when more and more companies have access to user credentials, it gets easier for attackers to access sensitive information (even if everyone has good intentions).
2. The consumer has no control over what is accessed
With scraping, consumers can only provide the means to authenticate, rather than give consent to access a specific data set, like transactions associated with a particular account. This means neither the customer nor the third party can protect sensitive information, creating compliance risks.
One of the first and foremost intentions of regulated open banking was to outlaw this model.
Open banking specifications are (naturally) consent-based. Consumers clearly consent for TPPs to access specific aspects of account information that are only relevant to the use case. And if the user chooses not to share, or to revoke their consent at any time, the TPP no longer has any practical means to access their data.
Compared to legacy access methods, like scraping, this gives consumers a high level of trust in who they’re sharing their data with, why it’s being accessed, and how they’re doing it.
Open banking makes third-party access secure for banks, customers and fintech innovators
The benefits of modern open banking frameworks go beyond preventing screen scraping. For open banking to be effective, APIs are the key driver. But APIs alone aren’t enough. The best open banking specifications not only mandate the adoption of APIs but ensure that all third parties can be verified by trusted digital certificates.
This is most evident in countries like the UK and Australia, where there are rigorous compliance checks on third parties wishing to obtain access to bank APIs. Likewise in the EU, there is separate legislation underpinning how third parties can obtain trusted certificates and who can issue certificates.
Once any Third Party Provider (TPP) has access to the ecosystem, they have to ensure that they can integrate with Account Providers, typically banks. Communications between TPP and Account Providers are secured by the highest standards of API security design.
The best and most secure examples of open banking at scale are where API specifications have been designed by common consensus, with broad inputs from industry experts, community-led projects and ecosystem participants.
The UK is an excellent example. The specification follows the financial-grade API or ‘FAPI’ standards, maintained by the Open ID foundation, to securely exchange information between companies by using encryption and tokens.
In Europe, the Berlin Group has also adopted internationally-recognised standards of API security design such as OAuth2. This API framework allows companies to customize how they use it, though it’s less strictly defined than other systems and gives account providers a little more opportunity to go off-piste with their implementation.
But even well-designed APIs can be susceptible to security threats. So, to further protect consumers, banks and TPPs, automated conformance testing tools are provided by the standardisation bodies to guarantee a high level of delivery quality.
In fact, the Financial Conduct Authority (FCA) has tried to include these security testing standards in its own approval processes. This requires conformance test results to be submitted as evidence of compliance and provides reassurance for risk-averse banks that they are following best practices.
How can open banking reduce data breaches and fraud?
In the first half of 2022 alone, a staggering £360.8 million was lost to unauthorised card fraud. While Strong Customer Authentication (SCA) has made it slightly harder for criminals to commit card payment fraud, it only takes one data breach for a fraudster to steal a consumer’s card details and make fraudulent transactions.
Just like screen scraping, card payments require sensitive data to be shared with third parties (think CVV codes). And irrespective of additional compliance measures in play, this leads to unavoidable risks. But just like how open banking allows a customer to share data without handing over their credentials, a TPP can also initiate payments directly from their account without the customer sharing sensitive payment information.
Recent years have also seen a rise in ‘authorised push payment’ scams. This is where fraudsters use social engineering to convince account holders to transfer money to their own accounts. A typical scenario would be receiving a phone call from a ‘representative of your bank’ saying that your account has been compromised and you urgently need to transfer all funds to a ‘safe’ or ‘holding’ account… when it’s actually controlled by the scammer.
Initiatives such as Confirmation of Payee might have helped payers understand who they are sending money to when they authorise a push payment. But open banking can also help prevent malicious or accidental misdirected payments since it prepopulates payee details. That means there’s no opportunity for a customer to make a wrong choice about where to send a payment.
What might new threats look like in the world of open data?
Security and fraud prevention is an endless game.
In a 2022 speech to the Financial Crime Summit, FCA executive director Sarah Pritchard described financial crime as a virus which mutates to evade destruction and will adapt to exploit new weaknesses in the financial system.
Open banking standards even existed in the social media space as far back as 2007. If you’ve ever used Facebook, you’re probably familiar with letting third-party apps access your account, like to play free games.
But in 2016, an academic named Aleksandr Kogan created an app called ‘this is your digital life’. It was a seemingly mundane personality quiz, giving users an “OCEAN” score based on 5 personality traits. Over 300,000 people downloaded the app and inadvertently gave it access to their friends’ data.
Kogan leaked this data to political data firm Cambridge Analytica, who were able to create highly accurate profiles of over 50 million Facebook users, and is widely considered to have influenced the 2016 US election.
Of course, this is less likely to happen in a highly-regulated industry like financial services, but it serves as a caution to be careful about who you share data with. And it highlights that using regulated providers with good API design and delivery makes data sharing much safer.