The Security Aspects Of Open Banking

Open Banking & Finance Apps Security


Directors Report: This article is exclusive to premium subscribers For unrestricted website access please Subscribe: £5 monthly / £50 annual.


Open banking, the ground-breaking financial technology, has reached a significant milestone, surpassing 11.4 million payments in July 2023. This achievement reflects a 9.3% increase in total payments compared with previous months, highlighting the growing adoption of open banking services.

Open Banking is a term used to describe a set of technologies and standards which allows consumers to safely and securely share their account information, for example through apps and websites.

As the global economy continues to evolve, open banking is becoming more popular, because it allows for faster, more secure transactions anywhere in the world and it gives consumers more opportunities, through the use of third parties, to manage their finances. You can choose to give secure access to your current account information, held by your account provider, to a regulated company via an app or website. 

Only you can decide what information you share and for how long, and no one gets access unless you give your permission.

To use an Open Banking service you need online or mobile banking for your personal, or business current account.
Services allowing you to share your account information with a company other than your bank have existed for a while, but have been provided through a system called screen scraping. Screen scraping involves capturing on-screen information, like taking a photograph of your data. Open Banking is more secure than screen scraping because, for example, you don’t have to share your password or login details with anyone other than your bank or building society.

Open Banking Is Also Known As "Open Bank Data" 

Six years after being instated by the Competition and Markets Authority’s (CMA) Retail Banking Market Investigation Order, open banking, an avant-garde technology enabling consumers and businesses to tap their transaction data to access more personalised financial services, is enjoying significant highs.

Proponents argue open banking provides greater transparency and data control for account holders, and could allow for new financial services to be provided. Proponents also say that it aims to promote competition, innovation, and customer empowerment in the banking and financial sectors. Opponents argue that open banking can lead to greater security risk and exploitation of consumers.

  • Open Banking allows you to share certain financial information that only you and your bank can see, such as your balance and transaction history, with other financial providers or services of your choosing. The idea is to make it easier for other organisations to use your data to personalise products or make suggestions on areas you can save. 
  • Open banking is a banking practice of enabling secure inter-operability in the banking industry by allowing third-party payment service and other financial service providers to access banking transactions and other data from banks and financial institutions.  
  • Open banking was born in the EU, flourished in the UK, and is now spreading around the globe, including the US. Unfortunately, since this is high-level Fintech it is highly targeted by cyber criminals.

Since 2018, Open Banking rules have meant the UK's largest banks have to let you share your financial data with authorised providers, granting them read-only access to things like your spending transactions and regular payments. 

Open banking is proving to be successful in the UK. after exceeding 11.4 million payments in the month of July 2023. According to Open Banking, the entity formed in 2016 to oversee open banking’s implementation, the performance in July represents a 9.3% increase in the total amount of open banking payments recorded the month prior, with June recording 10.43 million payments accordingly.

How Open Banking Works 

Open banking is enabled by a series of technologies, regulations, and services that aim to allow developers to create new banking services, new banking business models, and new commerce capabilities. 

Each provider will ask for your consent to access your info when you sign up to it. It'll then send a request to your bank, which will process it and share your details. You can also withdraw your permission at any time. Technically, banks share your information securely via technology called application programming interfaces (APIs). APIs simply allow two providers to 'talk' to each other and pass the information you've given permission to share, such as your bank balance and regular payments. 

With Open Banking, there’s no need to fill out lengthy forms to give the third party app or website the data it needs, it can access it all directly, provided you've given your permission via your bank's mobile or online banking. 

This kind of technology is already widely used by the likes of Facebook, Google Maps and Uber. For example, Uber might use Google Maps' API so it can work out where you are. Under open banking, banks allow access and control of customers personal and financial data to third-party service providers, which are typically tech startups and online financial service vendors. 

Customers are normally required to grant some kind of consent to let the bank allow such access, such as checking a box on a terms-of-service screen in an online app. Third-party providers APIs can then use the customer's shared data and data about the customer's financial counterparties. 

Uses might include comparing the customer's accounts and transaction history to a range of financial service options, aggregating data across participating financial institutions and customers to create marketing profiles, or making new transactions and account changes on the customer's behalf.

New customer expectations and technology-centric regulations are an important lubricant for open banking to thrive. Three forces combine to make the open banking dream possible: changes in banking regulation, changes in culture, and changes in technology. Through the use of networked accounts, open banking could help lenders get a more accurate picture of a consumer's financial situation and risk level in order to offer more profitable loan terms. Open banking can also help small businesses save time through online accounting and help fraud detection companies better monitor customer accounts and identify problems sooner.

It could also help consumers get a more accurate picture of their own finances before taking on debt. An open banking app for customers who want to buy a home could automatically calculate what customers can afford based on all the information in their accounts, perhaps providing a more reliable picture than mortgage lending guidelines currently provide. 

Another app might help visually impaired customers better understand their finances through voice commands. 

For the consumer, open banking promises to provide more choices, better service, and frictionless commerce. For example, you might want to use Amazon, Paypal, and Facebook to send money or gifts securely to friends with a simple click or swipe.

There are two fundamental government approaches to this market: regulation or market forces. The European Union has followed a path of regulation while the US tends to let the market take its own shape. 

  • Europe started the process with the EU PSD2 (Payment Services Directive) legislation of 2018, which was originally aimed at securing payment services, but activated a new breed of innovative financial service apps. Since it is a directive rather than regulation, iindividual member states could implement the directions in their own manner. 

The UK, as a major financial hub, and bolstered by Brexit took advantage of its freedom and developed the PSD2 principles into its own Open Banking System. This included a requirement for the nine largest UK banks to develop a common API standard which helped open banking to rapidly flourish. The advantages of a flourishing open banking ecosphere are summarised in a December 2022 statement by the UK’s financial conduct authority (FCA). “Fully realised, open banking and then open finance can bring further benefits to consumers and businesses and will help the UK become more competitive and innovative.”

  • Open Banking in the US is an emerging market sector in the US. While it is less advanced than in the UK and EU, it would be wrong to think it is a new idea. The 2016 the Consumer Financial Protection Board wrote, “Whereas once upon a time consumers might have brought a shoebox full of paper to a financial advisor or loan officer, now consumers can accomplish the same thing just by providing access to their digital financial records... This is a world full of new promise, where consumers have the chance to gain the tremendous benefits of ease, speed, convenience, and transparency.” The potential had already been flagged by the Dodd-Frank Act of 2010, which said that consumer transactions including “costs, charges and usage data,” shall be made available in an “electronic form usable by consumers”.

It is the practical difficulties of the disparate nature of a large-scale federal country that has delayed the natural evolution of the market. In 2021, there were 4,236 FDIC-insured commercial banks in the United States (Statista). Developing apps compatible with this amount, or the right selection, of banks is no easy feat. There is no specific guidance or government initiative on open banking in the US. There is no requirement for banks to develop a standard API.

There are no tailored open banking regulations, although open banking operators will be required to abide by various federal and state-level security and privacy requirements. But there is a strong entrepreneurial attitude and a business opportunity – hindered by non-standard APIs and the practical difficulty of writing individual APIs for all the important banks.

The practical problems led to the early use of screen scraping by open banking apps. This is far from perfect. It requires the customer to provide credentials, but without the bank knowing who or what is using those credentials. And it can gather more data than is strictly required for its purpose.

The banks are developing APIs, but screen scraping lingers. Capgemini explained the differences between screen scraping and API-based open banking in March 2022 “Screen scraping is a technology by which a customer provides its banking app login credentials to a third-party provider (TPP). The TPP then sends a software robot to the bank’s app or website to log-in on behalf of the customer and retrieve data and/or initiate a payment... Banks have less control over the data retrieved, which may go beyond account data regulated under PSD2 and may include any customer data available. With an API, banks have greater control to share only the necessary data for the TTP’s service and customers do not need to share any credentials with TPPs.”

There is little doubt the API based approach to open banking will prevail in the US as it does in the UK and EU. This will be more secure than scraping but will take time to set up and will still have security issues.

A partner in Morrison & Foerster’s financial services practice, Trevor Salter, commented “We’ve seen broad progress on technical integration protocols between financial institutions, aggregators, and product providers... Similarly, we’ve seen general alignment on how to make end users aware of how their data will be processed. But in the absence of a government or industry mandate, data can’t flow until financial institutions and aggregators sign an agreement.”

Open banking in the US remains a piecemeal effort while all concerned negotiate bilateral agreements to unlock users’ data. 

Risks Associated With Open Banking

Open banking may offer benefits in the form of convenient access to financial data and services to consumers and streamlining some costs for financial institutions. However, as with any digitally-based service, there is always the potential for data breaches. APIs are not without a certain amount of risk, with most concerns stemming from poor security, hacking, and insider threats.  And so open banking also potentially poses severe risks to financial privacy and the security of consumers' finances, as well as resulting liabilities to financial institutions. 

Open banking security risks, such as the potential for a malicious 3rd party app to clean out a customer's account would be an extreme threat. 

Much broader concerns would simply be data breaches due to poor security, hacking, or insider threats that have become relatively widespread in the modern era, including at financial institutions, and will likely remain commonplace as more data becomes interconnected in more ways. A typical open banking process would now comprise the app developer, a user with the app installed on a mobile phone, an API connecting the app to the bank, and the bank itself. There are several security risks to this type of interconnected process.

  • The app could be compromised before or after installation, or the mobile phone could be hijacked. In either of these cases, the API might work perfectly, and simply connect to the bank and return the requested data. 
  • That data could be accessible yo  a criminal controlling the user’s phone, or it could be passed back to the app provider. The app provider could sell on the data retrieved to other third parties as part of its own business model.
  • Not least, the API could be attacked remotely.

The safety and confidentiality of finances, as well as other personal data, is a top priority both for users and financial institutions. However, as with any digitally-based service, there is always the potential for data breaches. APIs are not without a certain amount of risk, with most concerns stemming from poor security, hacking, and insider threats. 

The existence of malware designed by third-party app providers to infiltrate an account and wipe the data remains an issue as well. There is also the concern of payment service providers mishandling their own customers’ data to gain an advantage in the market. However, open banking uses rigorously tested software and security systems (the Open Banking API security profile is based on Financial Grade API. You’ll never be asked to give access to your bank login details or password to anyone other than your own bank or building society.
Conclusion

The number of banks and building societies that offer open banking is growing. At the moment, only the UK’s nine largest banks and building societies are required to make your data available through open banking. Other smaller banks and building societies can choose to take part in open banking. 

Open Banking is a viable alternative to the current financial system, as it offers many advantages, such as increased convenience, access to a diverse range of financial services, and a network of synergetic third-party applications. But it also has some disadvantages, the security risks of sharing data being the most important drawback. 

It is important to prioritise the protection of customer data above all else, thus harnessing open banking in tandem with strong security protocols and stringent regulatory compliance. 

References:

MoneySavingExpert:   FintechFutures:         

Chakray:  Open Banking:   OpenID

Wikipedia:     Investopedia:   

MoneyHelper:   Open Banking:   

Tibco:    Security Week:    Tibco:     

Image: Ahmad Ardity

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« British Voters Wide Open To Attack
Elon Musk Withheld Starlink Over Crimea »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: Navigating cloud security: The importance of posture management tools

ON-DEMAND WEBINAR: Navigating cloud security: The importance of posture management tools

Watch this webinar to see how cloud security posture management (CSPM) tools can fit into your cloud security strategy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

eScan AV

eScan AV

eScan develops Information Security solutions that provide protection against current and evolving cyber threats.

CFC Underwriting

CFC Underwriting

CFC is a specialist insurance provider and a pioneer in emerging risk, including cyber insurance.

Logscape

Logscape

Logscape provides a big data analytical tool for log file analysis and operational analytics.

Cyber Triage

Cyber Triage

Cyber Triage is an automated incident response software any company can use to investigate their network alerts.

Codeproof Technologies

Codeproof Technologies

The Codeproof enterprise mobility solution empowers your business to secure, deploy and manage mobile applications and data on smartphones, tablets, IoT devices and more.

Gita Technologies

Gita Technologies

Gita Technologies works to create integrated solutions to the thorniest problems in the field of intelligence and cyber today.

Cyber Physical Security Research Center (CPSEC)

Cyber Physical Security Research Center (CPSEC)

CPSEC aims to contribute to the security enhancement of industrial infrastructure that creates value across cyber space and physical space.

Prove Identity

Prove Identity

Prove (formerly Payfone) is a leader in mobile & digital identity authentication for the connected world.

Elemental Cyber Security

Elemental Cyber Security

Elemental is a game changing cyber security compliance automation and enforcement technology provider.

PhishFirewall

PhishFirewall

PhishFirewall is an advanced AI-driven CyberSecurity Awareness Education, Threat Emulation, and Human Security Analytics Platform.

BrainStorm

BrainStorm

BrainStorm Threat Defense takes a new human-focused approach to security awareness that traditional training lacks. It’s a cutting-edge platform to make your users more security savvy.

Obsidian Security

Obsidian Security

Protect your business-critical applications by mitigating threats and reducing risk with Obsidian, the first truly comprehensive security solution for SaaS.

HashiCorp

HashiCorp

At HashiCorp, we believe infrastructure enables innovation, and we are helping organizations to operate that infrastructure in the cloud.

ShieldIO

ShieldIO

ShieldIO Real-Time Homomorphic Encryption™ enables your organization to reach regulatory compliance without compromising data availability.

TIM Enterprise

TIM Enterprise

TIM Enterprise offers innovative, sustainable and secure 360-degree digital solutions to companies and public administrations.