Light Dark
January 31, 2018 By Indy Dhami 4 min read
Banking & Finance
Fraud Protection

If you’re not yet familiar with the concept of open banking, you’re not alone. U.K. consumer advice firm Which? reported that 92 percent of the public is unaware of the initiative, which officially launched on Jan. 13, 2018, to promote the use of application programming interfaces (APIs) to enable developers to build applications to augment banking services.

Open banking is the main driver behind the EU’s Revised Payment Service Directive (PSD2), which requires the largest financial institutions in the U.K. to release their data in a standardized format so that authorized third parties can share it more easily. Despite the lack of public awareness, this initiative has the potential to bring many benefits to the banking industry, including more valuable data insights and improved customer experience. However, it also introduces additional challenges from a cybersecurity, antifraud and data protection perspective.

Read the white paper: Harnessing the power of open banking

A Brief History of Open Banking

In October 2015, the European Parliament revised its original Payment Services Directive (PSD1) to get the open banking ball rolling. A year later, the U.K. Competition and Markets Authority (CMA) identified competition concerns in the retail business and consumer current account markets. The agency subsequently issued a ruling that is consistent with PSD2, requiring the nine largest banks in the U.K. to grant licensed providers access to certain types of data. The open banking initiative is designed to comply with PSD2, providing the legal framework for the CMA requirements.

In short, PSD2 aims to increase regulation between banks and approved third-party payment providers (TPPs) regarding data they hold, access and share. It grants these entities access to payment accounts that hold information related to credit cards, mortgages, loans, savings and more via APIs. Another goal of open banking is to increase choice, control and protection over how consumers manage financial transactions and help promote the ongoing development and innovation of digital payments.

TPPs are categorized as Payment Initiation Services Providers (PISPs) and Account Information Services Providers (ASIPs). Banks may already fall into one or both categories, but the initiative opens the market to retailers, insurers, price comparison websites, utility providers, financial technology companies and more.

Key Concerns Related to Open Banking

PSD2 has the potential to be a catalyst for disruption in the banking and financial services industry, but there is widespread confusion about its purpose and benefit to customers. Let’s take a look at some of the key concerns related to open banking.

1. Ethics

Customers will begin to rely significantly on TPP’s to ethically manage their financial transaction data. Some experts are concerned that third-party access to accounts and data will create opportunities for TTPs to intrusively profile customers. This profiling may increase predatory lending, where TPP’s target vulnerable borrowers with invasive advertising to sell products and services. Access to financial data puts significant power in the hands of lenders.

2. Cybercrime

Providing access to multiple core banking platforms will significantly increase attack vectors for cybercriminals, meaning that banks will need to reassess and re-engineer their security controls and processes. Applying these controls on legacy IT systems may be extremely complex and costly. Conversely, some of the smaller new entrants may not be equipped with the expertise required to manage fraud, human error, identity theft and the loss of customer data.

3. Social Engineering

Cyberattacks will not be limited to exploiting technical vulnerabilities. Open banking may trigger an increase in social engineering attacks against customers who may be inexperienced using new technology platforms. Risks include phishing, malware, fraudulent apps, and physical theft or loss of endpoint devices that could provide access to third parties.

4. Compliance

As we have seen in recent years, not even highly regulated banks and financial services organizations are impervious to cyberattacks, and the aggregated customer data held and managed by TPPs via open APIs could be an easy target. There is an increased risk of information asymmetry, which could result in significant fines under various privacy regulations. Reputational risk is at stake if data is lost or tampered with in the chain of TPPs.

5. Privacy

The issues of consent, data privacy and permission need to be carefully reassessed. Consumers must fully understand what they are agreeing to, and where, when, how and with whom their data is being shared. According to McKinsey, “There is a fine line to walk: educating and empowering consumers without confusing, scaring or boring them.”

Potential Benefits of PSD2

Open banking also holds potential to bring numerous benefits to financial institutions and their customers. Below are some of the most significant.

1. Financial Control

Open banking and PSD2 will transform the banking sector much like the insurance industry changed after the emergence of price comparison websites. Customers will have greater visibility into and control of their finances to make efficient and meaningful decisions.

2. Security

PSD2 drives both PISPs and ASIPs to embed security and privacy directly into the APIs they are designing and implementing. However, they must balance security and the user experience. Open banking also provides an opportunity for banks to reassess their business model and security posture.

3. Increased Competition

Open banking will generate increased competition between established providers and innovative new entrants aiming to make existing products more flexible, bespoke and convenient. These entities include the likes of Amazon, Apple, Google and Facebook, who have agility in their investment capabilities as well as an advanced technological architecture to utilize customer data insights at scale.

4. Fraud Reduction

Despite concerns of increased fraud, PSD2 enhances existing consumer protection rules through increased security requirements. This includes the mandatory use of strong customer authentication, such as two-factor authentication (2FA) with biometrics. The data gathered will be enriched to reduce the number of false positives, thus ensuring that the customer experience is not adversely impacted.

5. Innovation

Open banking will also help accelerate the use of blockchain and cryptocurrencies in mainstream financial services. As cryptocurrencies such as bitcoin and Ethereum progressively become acceptable forms of payment, providers can take the opportunity to embed cryptocurrency payment mechanisms in their open banking platforms.

Open Banking Gains Momentum

As we march into 2018, the open banking initiative will gain momentum as banks and financial services organizations in the U.K. change their security, antifraud, and privacy policies and controls to comply with PSD2. These policies must include strong governance as well as robust processes and technical controls to protect the privacy and security of customer data.

Like any initiative that introduces sweeping changes to an industry as vital as financial services, PSD2 will come with its fair share of growing pains. However, organizations that embrace open banking and tailor their security strategies accordingly will unlock the benefits of shared data for their business and their customers.

Read the white paper: Harnessing the power of open banking

 |  |  |  |  |  |  |  |  |  | 
Indy Dhami
Associate Partner, IBM

More from Banking & Finance
March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

January 26, 2024

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature