Banks need to share their approaches to security and risk management to ease customer concerns about open banking.
As the open banking movement spreads globally, the financial services industry is undergoing a sea change in the way business is conducted and data is consumed. How can you rest confidently knowing that your open processes are secure?
What once seemed like a conceptualized slogan, open banking is now a tangible practice that is making its way around the world for its benefits in terms of customer experience and efficient banking operations.
But with a critical reputation in the financial world, questions rightly remain about the safety and security of open banking best practices among business leaders and customers.
Open banking – or open banking data – is about allowing third-party financial services organizations to access consumer financial data through application programming interfaces (APIs).
See also: 4 challenges for the integration of Open Banking
Open banking is essential to your customer experience.
Open banking gives consumers more control and freedom, providing better visibility to manage their finances holistically across multiple institutions. With the rise of online and mobile banking, this shift has enabled more financial organizations to meet their customers’ personal technology expectations and preferences and allow integration with other third-party financial institutions. Open banking gives consumers more control and freedom, providing better visibility for managing their finances.
Other consumer benefits include:
- Account aggregation: Open banking can provide more accurate financial data. A consumer can view personal and business banking, as well as investment, loan, and credit card accounts in one place. This allows financial advisors to provide a personalized recommendation, simplifying the decision-making process for everyone involved.
- Accelerated access to credit: Open banking puts consumers’ credit history in one easily accessible place. This allows lenders and underwriters to make faster decisions on which products to offer. It also gives consumers better insight into the likelihood of being offered certain products before they apply, speeding up the entire application process.
- Innovation in personal finance management (PFM) and other banking tools: Open banking takes tailored financial services for individuals to the next level. By centralizing data, vendors can build better tools and customize products that create financial insights in a more personalized way. Meanwhile, consumers can make more informed choices based on their unique financial performance and goals.
- Transparent subscription management: Open banking technology can consolidate all subscription activity into a single interface, allowing consumers to view recurring payments and take action to cancel unwanted subscriptions or set alerts for upcoming payments.
See also: Open Banking: has technology overtaken regulation?
How does open banking help financial organizations?
In 2021, Finastra surveyed over 786 global banks for the report, Survey of the Nation’s State of Financial Services. Globally, more than nine out of 10 financial institutions agree that open banking is important to their organization. Only 1% of financial institutions said open banking had not had a significant impact on their organization, compared to 13% last year.
To remain competitive, financial institutions must not ignore the growing popularity of open banking. As more and more institutions strive to adopt this practice, it is essential to understand the potential benefits of open banking. Some benefits we see include:
- Improved digital agility: A bank’s agility is key to long-term success in today’s technology-centric world. Open banking drives the advancement of software and digital processes that allow organizations to change and implement solutions faster. Open banking breaks down walls around communication, giving institutions access to new partners with varied and beneficial skills.
- Increased collaboration between entities: Open banking allows financial services and fintech competitors to coexist and collaborate for the greater good of all parties. It is in everyone’s interest to work together to ensure that risks are minimized and customer data is secure. B2B collaboration also paves the way for deeper innovation between traditional banks and new fintech-based business models.
- Increased customer satisfaction and loyalty: Financial institutions can provide consumers with a complete picture of their financial transaction history, including aggregated information. This helps consumers make better decisions and improve their financial outlook, leading to greater customer loyalty.
- Greater foresight in decision-making: Open banking paves the way for organizations to adopt compelling predictive models that enable better decisions and more effective strategies. The larger the data set, the easier it is to discern patterns through pattern mapping. As the global financial industry experiences this rapid evolution in the use of consumer data, data insights are critical to an organization’s ability to understand the impact of operational and regulatory changes.
See also: What Developers Need to Know About Open Banking
What about security risks?
Almost 50% of all banking customers think their assets will be less secure if they try open banking. Consumers may have security concerns such as:
- Does open banking facilitate identity theft?
- Will my data be shared or used for purposes beyond my consent?
- Will I be targeted by unwanted solicitations?
These are all valid questions, and it is important to remember that “open” does not mean that there are no structures or protections in place.
Rather, it means the exchange of digital banking information with the full consent of the consumer. It is up to the individual consumer to authorize any sharing of information between their financial institution and a regulated third-party API, such as Venmo or Zelle. And if you are a financial institution wishing to introduce these features to its customers, it will be important that you take steps to educate them on your approach to security and risk management.
Some security measures such as multi-factor authentication server validation certificates may be familiar to fintech leaders, but as this technology continues to take off, leaders will want to be aware of other key security standards, especially :
- OpenID login: OAuth 2.0 is a well-known standard in the country of APIs for its ability to grant security powers. OpenID Connect is another layer, sitting on top to provide additional proof of authentication with an ID token. In the form of a JSON Web Token (JWT), OpenID Connect confirms that the user has authenticated and offers many additional features to extend capabilities.
- Financial Grade API (FAPI): Some experts consider FAPI as an important element for the future growth of open banking. This is an OpenID Foundation profile found on OpenID Connect, providing additional security for financial organizations and additional security features at the authorization server level, as well as tightening behaviors by segmenting TPP authorizations . FAPI is organized into four versions: a read-only API security profile, a read-and-write API security profile, JWT secure authorization response mode for OAuth 2.0 (JARM), and authentication by Customer Initiated Return Channel (CIBA). All four projects provide a new way to request authentication from a user.
- Security checks: Open banking can pose performance and security issues as it typically generates massive volumes of API calls. Although network firewalls remain an important aspect of security, they simply cannot stand alone. This is where additional security controls come into play, such as web application firewalls, bot protection, and SSL/TLS encryption.
Secure CI/CD pipeline
Additionally, the obligation to maintain a security posture falls on all IT departments. Applying DevOps best practices can put an organization in a unique position to defend APIs and secure everything that passes through the software pipeline.
Securing the CI/CD pipeline essentially means fortifying it as a whole by encoding the entire environment. This enables a steady stream of software updates in production, which speeds up release cycles, reduces costs, and reduces risk associated with development and deployment.
Securing the CI/CD pipeline can help an organization:
- Map threats
- Secure connections
- Strengthen access control
- Separate Duties and Apply Permissions
- Enable diligent monitoring
- Provide grounding to maintain a viable backup plan
Mitigation against credential stuffing and other malicious behavior
In 2020, approximately 17 million records have been compromised in credential spill incidents. Organizations remain weak to detect and discover intrusions and data exfiltration.
Often, spills are discovered on the dark web before organizations detect or disclose a breach. Relying on technology can prevent leaked or stolen credentials from being used for malicious purposes.
Other mitigation options include:
- Require users to use MFA before granting access
- Redirect users to another application page
- Respond to suspicious login with a page requesting further action from the user
- Prevent the user and his ID from accessing the application
- Sending an alert to the SecOps team to take further action
A customer-centric and digital-centric business model has become essential for the financial industry, but especially for open banking. When properly implemented and regulated, open banking gives consumers more control over their financial data, improving experience, security and inclusion. Much is being done from a regulatory perspective to foster uniformity and standardization among institutions using open banking models. For more information, see the Open banking project.