Lifting the Veil on Open Banking

PinIt

Banks must share their approaches to security and risk management to allay customer concerns about open banking.

As the open banking movement catches on globally, the financial services industry is undergoing a radical shift in how business is transacted and data is consumed. How do you rest confidently knowing your open processes are secure?

What once seemed like a conceptualized slogan, open banking is now a tangible practice making its way around the world for its advantages to the customer experience and efficient bank operations.

But with reputation critical in the financial world, questions rightly linger over the safety and security of open-banking best practices among business leaders and customers.

Open banking – or open-bank data – is the practice of allowing third-party financial services organizations access to consumer financial data by way of application programming interfaces (APIs).

See also: 4 Challenges for Open Banking Integration

Open banking is vital to your customer experience.

Open banking gives consumers more control and freedom, providing better visibility for managing their finances holistically across multiple institutions. With the rise of online and mobile banking, this shift has enabled more financial organizations to meet their customers’ personal technology expectations and preferences and enable consent to integration with other third-party financial institutions. Open banking gives consumers more control and freedom, providing better visibility for managing their finances.

Other benefits to consumers include:

  • Account aggregation: Open banking can lend more accurate financial data. A consumer can view personal and business banking, as well as investment, loan, and credit card accounts in one place. This allows financial advisors to provide a personalized recommendation, simplifying the decision-making process for all involved.
  • Accelerated credit access: Open banking puts consumers’ credit history in one, easily accessible place. This allows lenders and underwriters to make quicker decisions on which products to offer. It also gives consumers better insight into the likelihood of being offered certain products in advance of applying, thereby accelerating the entire application process.
  • Innovation in personal finance management (PFM) and other banking tools: Open banking takes bespoke financial services for individuals to the next level. By centralizing data, providers can create better tools and tailor products that create financial insights in more personalized ways. Meanwhile, consumers can make more educated choices based on their financial performance and unique goals.
  • Transparent subscription management: Open banking technology can put all subscription activity onto a single interface, allowing consumers to view recurring payments and take action to cancel undesired subscriptions or set alerts for upcoming payments.

See also: Open Banking: Has Technology Outpaced Regulations?

How does open banking help financial organizations?

 In 2021, Finastra studied more than 786 global banks for the report, Financial Services State of the Nation Survey. Globally, more than nine in 10 financial institutions agree that open banking is important to their organization. Only 1% of financial institutions said that open banking has not provided any significant impact to their organization, down from 13% last year.

To remain competitive, financial institutions must not turn a blind eye to the growing popularity of open banking. As more institutions work to adopt the practice, understanding the potential benefits of open banking is essential. Some benefits we see include:

  • Improved digital agility: A bank’s agility is key to long-term success in today’s tech-centric world. Open banking promotes software advancement and digital processes that enable organizations to change and implement solutions more swiftly. Open banking eliminates walls around communication resulting in institutions gaining access to new partners with varied, beneficial skill sets.
  • Increased collaboration between entities: Open banking allows financial services and fintech competitors to coexist and collaborate for the greater good of all parties. It is in everyone’s best interest to work together to ensure risks are minimized and customer data is secured. Cross-company collaboration also makes space for deeper innovation between traditional banks and newer fintech-based business models.
  • Increased customer satisfaction and retention: Financial institutions can provide consumers with a complete picture of their financial transaction history, including aggregated insights. This helps consumers make better decisions and improve their financial outlook, thus leading to greater customer retention.
  • Greater foresight in decision-making: Open banking is paving the way for organizations to adopt compelling predictive models that enable better decisions and more effective strategies. The larger the data set, the easier it is to discern patterns through pattern mapping. As the global financial industry undergoes this rapid shift in consumer data usage, data insights are vital to an organization’s ability to understand the impact of operational and regulatory changes.
Download Now: Building Real-time Location Applications on Massive Datasets

What about security risks?

Nearly 50% of all banking customers think their assets will be less safe if they try open banking. Consumers might have security concerns like:

  • Does open banking make identity theft easier?
  • Will my data be shared or used for purposes beyond my consent?
  • Will I be targeted with unwanted solicitations?

These are all valid questions, and it is important to remember “open” doesn’t mean there aren’t structures or protections in place.

Rather, it signifies the exchange of digital banking information with the consumer’s full consent. It is up to the individual consumer to authorize any information sharing between their financial institution and a regulated third-party API, such as Venmo or Zelle. And if you’re a financial institution wanting to introduce these capabilities to customers, it will be important you take steps to educate them on your approach to security and risk management.

Some security measures like multifactor authentication server-validation certificates may be familiar to financial technology leaders, but as this technology continues to take off, leaders will want to be aware of other key security standards, including:

  • OpenID Connect: OAuth 2.0 is a standard well known in the land of APIs for its ability to grant security powers. OpenID Connect is another layer, sitting on top to provide further proof of authentication with an ID token. In the form of a JSON Web Token (JWT), OpenID Connectconfirms the user has authenticated and offers many additional features to extend capabilities.
  • Financial-grade API (FAPI): Some experts view FAPI as an important building block for the future growth of open banking. It is an OpenID Foundation profile that sits on OpenID Connect, providing extra security for financial organizations and additional security features at the authorization server, as well as tightening behaviors by segmenting TPP permissions. FAPI is organized into four drafts: A Read-Only API Security Profile, a Read and Write API Security Profile, JWT Secured Authorization Response Mode for OAuth 2.0 (JARM), and Client-Initiated Backchannel Authentication (CIBA). All four drafts provide a new means of requesting the authentication of a user.
  • Security controls: Open banking can raise performance and security challenges because it typically generates massive volumes of API calls. While network firewalls remain an important aspect of security, they simply cannot stand alone. That’s where additional security controls come into play, such as web application firewalls, bot protection, and SSL/TLS encryption.

Security-infused CI/CD pipeline

Furthermore, the obligation to maintain security posture falls on all IT departments. Applying DevOps best practices can put an organization in a unique position to defend APIs and secure everything that flows through the software pipeline.

Securing the CI/CD pipeline essentially means fortifying it as a whole by coding the entire environment. This allows for a constant flow of software updates into production, which speeds release cycles, lowers costs, and reduces risks associated with development and deployment.

Securing the CI/CD pipeline can help an organization:

  • Map threats
  • Secure connections
  • Tighten access control
  • Separate duties and enforce permissions
  • Allow diligent monitoring
  • Provide grounding to maintain a viable backup plan

Mitigating against credential stuffing and other malicious behavior

In 2020, approximately 17 million records were compromised during credential spill incidents. Organizations remain weak at detecting and discovering intrusions and data exfiltration.

Often, spills are discovered on the dark web before organizations detect or disclose a breach. Relying on technology can prevent leaked or stolen credentials from being used for malice.

Other mitigation options include:

  • Requiring users to use MFA before granting access
  • Redirecting users to another application page
  • Responding to the suspicious login with a page requesting further action by the user
  • Blocking the user and their login from accessing the application
  • Sending an alert to the SecOps team to take additional action

A digital-first, customer-focused business model has become critical to the financial industry, but in open banking especially. When properly implemented and regulated, open banking gives consumers more control of their financial data – thereby improving the experience, security, and inclusion. Much is being done from a regulatory perspective to foster uniformity and standardization between institutions using open banking models. For more information, check out the Open Bank Project.

Matt Berry

About Matt Berry

Matt Berry, Security Area Director - Global Accounts at WWT, is a 20-year veteran in cybersecurity and technology, having developed architectures and strategies through roles in consulting, sales, and professional services. Berry is responsible for helping create, execute, and own the security go-to-market business plan and strategy for the Global Financial Services (GFS) business by leveraging WWT’s $1.4 billion security practice. His team ensures the Global Accounts sales and engineering teams know and understand the primary security OEM Landscape, The Digital Platform, Consulting Services, ATC Lab Services, Application Services, Supply Chain and Integration Services, Infrastructure Services, Customer Success, and Strategic Resourcing.

Leave a Reply

Your email address will not be published.