Open Banking, Security, APIs & Mobile Apps

Uploaded on 2024-01-22 in Directors Reports

Open Banking, Security & Mobile Apps

Directors Report: This article is exlusive to premium subscribers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.

Open banking was born in the EU and has grown in the UK, and is now spreading around the globe, including the US. Open banking differs from traditional banking by emphasising data sharing, competition, and customer empowerment within the financial services industry. This is essentially Fintech a sectort which is highly targeted by criminal actors.

Open banking aims to improve transparency, enhance customer experiences, and drive the development of more personalised financial products and services.

There are two fundamental government approaches to this market: regulation or market forces. Europe has a strong inclination for regulation, while the US tends to let the market shape itself. 

Background

Currently in traditional banking, financial data is kept within individual banks. And customers have limited options for sharing their data with third parties, as data access is often restricted to the bank's closed ecosystem of service providers. This security limits the amount of options that are available and stifling competition and innovation. 

Open banking is built on the secure systems already used by familiar high street banks and new fintech firms and is a technology-based framework for banking systems that facilitates secure data sharing between financial institutions and authorised third-party providers through secure Application Programming Interfaces (APIs). It promotes competition, innovation, and greater customer control over financial data, allowing consumers to access a wider range of financial services and applications while maintaining strong security measures. 

Open banking is a banking practice that allows third-party financial service providers to access consumer banking and financial data via application programming interfaces (APIs). In practice, this means that banks can show their customers the best financial products and services for each specific individual, offer a savings account that has a higher interest rate or a credit card with a lower interest rate. 

  • Lenders can get a more accurate picture of a person's financial situation and their risk level, which will help lenders offer more suitable loan terms.
  • Customers, in turn, can better understand their own financial situation and control their finances better.

The emergence of open banking has brought digital transformation to the financial industry nation-wide by providing users with the possibility to manage their finances more efficiently. The open banking technology allowed for the creation of innovative applications and services, enabling users to get a more tailored banking experience.

Understanding open banking is important, as cyber security threats are currently everywhere and understanding them is often quite difficult. 

Malware attacks, data breaches, and fraud continue to pose financial and reputational risks for established and scaling organisations. And, now more than ever, security leads the conversation when it comes to launching a new product, complying with legislation, or selecting a partner to work with.

Modern open banking can be traced back to changes in security threats in financial services. When online banking arrived in the early 2000s, customer bank data existed on the Internet for the first time. This opened new opportunities to digitise other kinds of financial services.

But, the main problem is how to make access this highly sensitive data secure.

The UK first introduced an Open Banking Standard in 2016 to make the banking sector work harder for the benefit of consumers. The implementation of the standard was guided by recommendations from the Open Banking Working Group, made up of banks and industry groups and co-chaired by the Open Data Institute and Barclays Bank . It had a focus on how data could be used to “help people to transact, save, borrow, lend and invest their money”. 

Today, countries around the world are at various stages of maturity in implementing Open Banking. The UK leads as the only country to have legislated and built a development framework to support the regulations, enabling it to be advanced in bringing new products and services to market as a result. However, a number of other countries are progressing rapidly towards their own development of Open Banking.

In a second groupare the EU, Australia and Mexico, each of which have taken significant steps in legislation and implementation. Canada, Hong Kong, India, Japan, New Zealand, Singapore, and the US are all making progress in preparing their respective markets for Open Banking initiatives. 

One danger in any international shift in thinking, such as Open Banking, is that technology overtakes the original intention.

The ‘core technology’ here is open APIs and they feature in all the international programmes, even when an explicit ‘Open Banking’ label is not applied. In this model, the primary responsibility for security risks will lie with payment service providers. One consequence of this approach is that vulnerability to data security breaches may increase in line with the number of partners interacting via the APIs. 

The EU General Data Protection Regulation (GDPR) requires protecting customer data privacy as well as capturing and evidencing customer consent, with potentially steep penalties for breaches. Payment service providers must therefore ensure that comprehensive security measures are in place to protect the confidentiality and integrity of customers’ security credentials, assets and data. 

There are two fundamental government approaches to this market: regulation or market forces. Europe has a penchant for regulation while the US tends to let the market shape its own areas.

Europe started the ball rolling with the PSD2 (Payment Services Directive) legislation of 2018. It was originally aimed at securing payment services, but activated a new breed of innovative financial service apps.

Since it is a directive rather than an enforceable  regulation - like  GDPR -  individual member states could implement the directions in their own manner. The UK, as a major financial hub, took advantage of its post-Brexit freedom and developed the PSD2 principles into its own Open Banking System. This included a requirement for the nine largest UK banks to develop a common API standard which helped open banking to rapidly flourish.

The advantages of a flourishing open banking ecosphere are similar for most nations. This was summarised in a December 2022 statement by the UK’s financial conduct authority (FCA): “Fully realised, open banking and then open finance can bring further benefits to consumers and businesses and will help the UK become more competitive and innovative.”

Open banking comprises payment systems for larger organisations, and the burgeoning number of purpose-specific apps for consumers and smaller businesses. It is part of the fintech sector, but for most people, the concept of open banking is limited to the purpose-specific app market.

Open Banking In The US

Open banking is an emerging market sector in the US. While it is less advanced than in the UK and EU, it would be wrong to think it is a new idea. Back in 2016 the Consumer Financial Protection Board wrote, “Whereas once upon a time consumers might have brought a shoebox full of paper to a financial advisor or loan officer, now consumers can accomplish the same thing just by providing access to their digital financial records. “This is a world full of new promise, where consumers have the chance to gain the tremendous benefits of ease, speed, convenience, and transparency.”

The potential had already been flagged by the Dodd-Frank Act of 2010, which said that consumer transactions including “costs, charges and usage data,” shall be made available in an “electronic form usable by consumers”.
It is the practical difficulties of the disparate nature of a large-scale federal country that has delayed the natural evolution of the market. In 2021, there were 4,236 federally regulated and insured commercial banks in the United States. With that level of fragmentation, developing apps compatible with this amount, or the right selection, of banks is no easy feat.

  • There is no specific guidance or government initiative on open banking in the US. There is no requirement for banks to develop a standard API.
  • There are no tailored open banking regulations, although open banking operators will be required to abide by various federal and state-level security and privacy requirements.

But there is a strong entrepreneurial attitude and a business opportunity, hindered by non-standard APIs and the practical difficulty of writing individual APIs for all the important banks. The practical problems led to the early use of 'screen scraping' by open banking apps. This is far from perfect. It requires the customer to provide credentials, but without the bank knowing who or what is using those credentials. And it can gather more data than is strictly required for its purpose. 

The banks are developing APIs, but screen scraping lingers. Capgemini explained the differences between screen scraping and API-based open banking in March 2022. 'Screen scraping' is a technology by which a customer provides its banking app login credentials to a third party provider (TTP). The TPP then sends a software robot to the bank’s app or website to log-in on behalf of the customer and retrieve data and/or initiate a payment. “Banks have less control over the data retrieved, which may go beyond account data regulated under PSD2 and may include any customer data available. With an API, banks have greater control to share only the necessary data for the TTP’s service and customers do not need to share any credentials with TPPs.”

There is little doubt the API based approach to open banking will prevail in the US as it does in the UK and EU.

This will be more secure than scraping but will still have its security issues. It will also take time to implement. One expert commentator, Trevor Salter, a partner in Morrison & Foerster’s financial services practice, explains: “We’ve seen broad progress on technical integration protocols between financial institutions, aggregators, and product providers... Similarly, we’ve seen general alignment on how to make end users aware of how their data will be processed. But in the absence of a government or industry mandate, data can’t flow until financial institutions and aggregators sign an agreement.”

As a result, open banking in the US remains uncoordinated, requiring the negotiation of separate bilateral agreements to unlock users’ data. “Many of the largest financial institutions, aggregators and product providers have completed those agreements,” continued Salter, “but there will be a very long tail of relatively smaller financial institutions, aggregators and product providers before we reach the end of the journey toward open banking.”

Threats To The API Approach

A typical open banking process would now comprise the app developer, a user with the app installed on a mobile phone, an API connecting the app to the bank, and the bank itself. There are a number things about this approach which could go wrong.

  • The app could be compromised before or after installation, or the mobile phone could be hijacked. In either of these cases, the API might work perfectly, and simply connect to the bank and return the requested data. 
  • That data could go to a criminal controlling the user’s phone, or it could be passed back to the app provider. The app provider could sell on the data retrieved to other third parties as part of its own business model. And, of course, the API could be attacked remotely.

The two primary threats within the open banking ecosphere are financial fraud  - if the app itself is compromised, or if an attacker can gain control of the mobile phone and thus the API identifier and the possible resale of personal information to third parties.

APIs

A further complication is that these transactions involve multiple parties, the consumer’s financial institution will be exchanging data with a large number of suppliers, partners, and other consumers as part of the transaction. The scope of API calls as well as the variety of entities and interconnection points all contribute to a significant API attack surface.” 

In this area, there is a significant emerging threat, and that us  the application of large language model AI (such as ChatGPT) to help find those logic flaws. 

Open Banking Reduce Data Breaches & Fraud

In the first half of 2022, a staggering £360.8 million was lost to unauthorised card fraud. While Strong Customer Authentication (SCA) has made it slightly harder for criminals to commit card payment fraud, it only takes one data breach for a fraudster to steal a consumer’s card details and make fraudulent transactions. Just like screen scraping, card payments require sensitive data to be shared with third parties (think CVV codes). And irrespective of additional compliance measures in play, this leads to unavoidable risks. 

But in the same way that open banking allows a customer to share data without handing over their credentials, a TPP can also initiate payments directly from their account without the customer sharing sensitive payment information.

Recent years have also seen a rise in ‘authorised push payment’ scams. This is where fraudsters use social engineering to convince account holders to transfer money to their own accounts. A typical scenario would be receiving a phone call from a ‘representative of your bank’ saying that your account has been compromised and you urgently need to transfer all funds to a ‘safe’ or ‘holding’ account… when it’s actually controlled by the scammer. Initiatives such as Confirmation of Payee might have helped payers understand who they are sending money to when they authorise a push payment.

But open banking can also help prevent malicious or accidental misdirected payments since it retains and reproduces payee details, which means there’s no opportunity for a customer to make a wrong choice about where to send a payment.

Fraud

In most cases, open banking is accessed via an app on a mobile phone calling an API. At the centre of its security, the API is focused on the authentication and authorisation of the calling device. This approach is based upon the mobile phone, which is assumed to be operated by the authorised open banking customer.

Privacy Issues

Privacy concerns in open banking revolve around the amount and detail that can move from the bank to the TPP. Selling user contact data is a common business plan for many service and app providers; but the user may not be aware of it.

Improving The Security Of Open Banking

The open banking market is a prime target for criminals. Open banking can be described as a perfect storm for cyber security. At one end, small startups with financial acumen but little or no security expertise or resources, are rushing new products to market. Banks are being forced by market pressure to join the rush, but have no specific regulatory guidance in the US on how to do so. In the middle is the user with a history of lax security habits and a mobile phone that is frequently lost, stolen, hijacked or SIM-swapped. 

This is all held together by APIs that comprise one of the most attacked vectors in the cyber security sector

Open Banking Benefits

The aim is to encourage innovation and improve competition, by making it easier for you to pay companies directly and manage multiple financial products. For example, HMRC has partnered with with a private sector provider to enable taxpayers pay their bills directly from their bank account using open banking technology.

Ultimately, open banking could allow you to manage all of your financial accounts and household bills through a single digital platform, with the option of allowing apps to 'plug in' and offer more personalised and intuitive services.

An app might help you avoid charges or boost your savings by automatically moving money between various accounts. Open banking could also spur action in other markets, by encouraging you to look at your energy or phone bills.

Disadvantages Of Open Banking

While acknowledging the numerous benefits of open banking, it is also necessary to make note of potential drawbacks. The hesitation that accompanies the transition from traditional banking methods to open banking is one major source of most of its disadvantages.  They are as follows:

Low customer credibility:    Until now there has been an apathy or lack of credibility on the part of customers towards this new form of banking. It is partly due to the fear of sharing their data, as well as to their lack of knowledge of how it works.

Fintech:   The growth of those companies that have replaced many of the services traditionally controlled by banks is a major drawback for major banks. The Fintech market is growing. Their services are diverse with a large number of them growing in various countries. They are simple, fast, and low cost for customers.

It removes the interpersonal relationship with the customer:   Because everything is handled digitally, the face-to-face encounters between the customer and the bank are getting fewer and fewer. This can lead to a breakdown in the psychological relationship and brand loyalty between customer and provider.

The Future For Open Banking Apps

As the technology and regulations governing data privacy continue to develop, open banking applications are poised to enhance their services by offering more personalised and secure financial solutions. Furthermore, these applications may broaden their scope beyond conventional banking offerings, encompassing insurance, investment, and wealth management services.

The escalating adoption of open banking on a global scale will prompt greater collaboration between financial institutions and Fintech start-ups in developing advanced open banking solutions, which cater to the needs of both consumers and businesses.

Open banking apps possess transformative potential for the financial services sector. These applications exploit the power of open APIs to provide customers with an unprecedented level of authority over their financial affairs. 

By seamlessly integrating financial information across diverse institutions, such apps offer several benefits, including improved transparency, enhanced accessibility to financial tools, and customised guidance in terms of financial management. Banks are also concerned that customers may be exposed to a range of threats associated with security and data loss. 

Even if an incident is not caused by the bank, there is a likelihood that they will suffer collateral damage to their reputation, and may be expected to help remedy the issue which will incur cost.

As a consequence, many banks have concluded that it is important that they educate customers about the risks of data sharing - to ensure that the APIs are used to increase security and safety - not decrease it. They also plan to rigorously validate that firms are appropriately authorised to access their APIs. 

References:

OpenBanking:     Yapily:    Security Week:   

HSBC:     Which:     Exactly:    Forbes:  

PWC:    WeLiveSecurity:    UKFinance:  

Chakray:    CapGemini:    Mofo:    F5:

Image: Tero Vesalainen

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Five Security Benefits Of Application Mapping
Hackers Attack Leading Investment Bank »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

City Security Magazine

City Security Magazine

City Security magazine helps promote best security practices and keep businesses informed on a wide variety of security-related issues.

Egress Software Technologies

Egress Software Technologies

Egress Software Technologies is a leading provider of data security services designed to protect shared information throughout its lifecycle.

GreatHorn

GreatHorn

GreatHorn offers the only cloud-native security platform that stops targeted social engineering and phishing attacks on communication tools like O365, G Suite, and Slack.

Kymatio

Kymatio

Kymatio are pioneers in Artificial Intelligence applied to adaptive staff strengthening, cultural change and predictive internal risk analysis.

ISMS Accreditation Center (ISMS-AC)

ISMS Accreditation Center (ISMS-AC)

ISMS-AC is the national accreditation body for Japan. The directory of members provides details of organisations offering certification services for ISO 27001.

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic's main goal is toward establishing an international reference centre for excellence in the field of digital forensics and data recovery services.

Startup Wise Guys

Startup Wise Guys

Startup Wise Guys is a mentorship-driven accelerator program for early stage B2B SaaS, Fintech, Cybersecurity & Defense AI startups.

CoverWallet

CoverWallet

CoverWallet combines deep analytics, thoughtful design and state of the art technology to help small businesses with all their insurance needs including Cyber Liability.

Involta

Involta

Involta orchestrates IT transformation journeys using well-defined and rigorous processes to deliver hybrid cloud solutions, consulting and data center services tailored to our clients’ needs.

Deutsche Gesellschaft für Cybersicherheit (DGC)

Deutsche Gesellschaft für Cybersicherheit (DGC)

As a leading provider of cyber security, DGC supports companies in taking advantage of the opportunities offered by the digital transformation – and in minimizing the associated risks.

CFTS

CFTS

CFTS 'Computer Facilities Technical Services' is a Ugandan ICT Support Company that specialises in infrastructure and support services including network security.

Apura Cybersecurity Intelligence

Apura Cybersecurity Intelligence

Apura is a Brazilian company that develops advanced products and provides specialized services in information security and cyber defense.

Skyhigh Security

Skyhigh Security

Skyhigh Security enables your remote workforce while addressing your cloud, web, data, and network security needs.

nandin Innovation Centre

nandin Innovation Centre

nandin is ANSTO’s Innovation Centre (Australian Nuclear Science and Technology Organisation) where science and technology entrepreneurs, startups and graduates come together.

Aura Information Security

Aura Information Security

Aura Information Security consists of a team of highly-skilled and renowned information security professionals spanning Australia and New Zealand.

Disecto Technologies

Disecto Technologies

At Disecto, we provide SaaS based Data Discovery, Classification and a remediation solution for data privacy compliance.