The Security Aspects Of Open Banking

Uploaded on 2023-09-11 in Directors Reports, BUSINESS-Services-Financial

Open Banking & Finance Apps Security

Directors Report: This article is exclusive to premium subscribers For unrestricted website access please Subscribe: £5 monthly / £50 annual.

Open banking, the ground-breaking financial technology, has reached a significant milestone, surpassing 11.4 million payments in July 2023. This achievement reflects a 9.3% increase in total payments compared with previous months, highlighting the growing adoption of open banking services.

Open Banking is a term used to describe a set of technologies and standards which allows consumers to safely and securely share their account information, for example through apps and websites.

As the global economy continues to evolve, open banking is becoming more popular, because it allows for faster, more secure transactions anywhere in the world and it gives consumers more opportunities, through the use of third parties, to manage their finances. You can choose to give secure access to your current account information, held by your account provider, to a regulated company via an app or website. 

Only you can decide what information you share and for how long, and no one gets access unless you give your permission.

To use an Open Banking service you need online or mobile banking for your personal, or business current account.
Services allowing you to share your account information with a company other than your bank have existed for a while, but have been provided through a system called screen scraping. Screen scraping involves capturing on-screen information, like taking a photograph of your data. Open Banking is more secure than screen scraping because, for example, you don’t have to share your password or login details with anyone other than your bank or building society.

Open Banking Is Also Known As "Open Bank Data" 

Six years after being instated by the Competition and Markets Authority’s (CMA) Retail Banking Market Investigation Order, open banking, an avant-garde technology enabling consumers and businesses to tap their transaction data to access more personalised financial services, is enjoying significant highs.

Proponents argue open banking provides greater transparency and data control for account holders, and could allow for new financial services to be provided. Proponents also say that it aims to promote competition, innovation, and customer empowerment in the banking and financial sectors. Opponents argue that open banking can lead to greater security risk and exploitation of consumers.

  • Open Banking allows you to share certain financial information that only you and your bank can see, such as your balance and transaction history, with other financial providers or services of your choosing. The idea is to make it easier for other organisations to use your data to personalise products or make suggestions on areas you can save. 
  • Open banking is a banking practice of enabling secure inter-operability in the banking industry by allowing third-party payment service and other financial service providers to access banking transactions and other data from banks and financial institutions.  
  • Open banking was born in the EU, flourished in the UK, and is now spreading around the globe, including the US. Unfortunately, since this is high-level Fintech it is highly targeted by cyber criminals.

Since 2018, Open Banking rules have meant the UK's largest banks have to let you share your financial data with authorised providers, granting them read-only access to things like your spending transactions and regular payments. 

Open banking is proving to be successful in the UK. after exceeding 11.4 million payments in the month of July 2023. According to Open Banking, the entity formed in 2016 to oversee open banking’s implementation, the performance in July represents a 9.3% increase in the total amount of open banking payments recorded the month prior, with June recording 10.43 million payments accordingly.

How Open Banking Works 

Open banking is enabled by a series of technologies, regulations, and services that aim to allow developers to create new banking services, new banking business models, and new commerce capabilities. 

Each provider will ask for your consent to access your info when you sign up to it. It'll then send a request to your bank, which will process it and share your details. You can also withdraw your permission at any time. Technically, banks share your information securely via technology called application programming interfaces (APIs). APIs simply allow two providers to 'talk' to each other and pass the information you've given permission to share, such as your bank balance and regular payments. 

With Open Banking, there’s no need to fill out lengthy forms to give the third party app or website the data it needs, it can access it all directly, provided you've given your permission via your bank's mobile or online banking. 

This kind of technology is already widely used by the likes of Facebook, Google Maps and Uber. For example, Uber might use Google Maps' API so it can work out where you are. Under open banking, banks allow access and control of customers personal and financial data to third-party service providers, which are typically tech startups and online financial service vendors. 

Customers are normally required to grant some kind of consent to let the bank allow such access, such as checking a box on a terms-of-service screen in an online app. Third-party providers APIs can then use the customer's shared data and data about the customer's financial counterparties. 

Uses might include comparing the customer's accounts and transaction history to a range of financial service options, aggregating data across participating financial institutions and customers to create marketing profiles, or making new transactions and account changes on the customer's behalf.

New customer expectations and technology-centric regulations are an important lubricant for open banking to thrive. Three forces combine to make the open banking dream possible: changes in banking regulation, changes in culture, and changes in technology. Through the use of networked accounts, open banking could help lenders get a more accurate picture of a consumer's financial situation and risk level in order to offer more profitable loan terms. Open banking can also help small businesses save time through online accounting and help fraud detection companies better monitor customer accounts and identify problems sooner.

It could also help consumers get a more accurate picture of their own finances before taking on debt. An open banking app for customers who want to buy a home could automatically calculate what customers can afford based on all the information in their accounts, perhaps providing a more reliable picture than mortgage lending guidelines currently provide. 

Another app might help visually impaired customers better understand their finances through voice commands. 

For the consumer, open banking promises to provide more choices, better service, and frictionless commerce. For example, you might want to use Amazon, Paypal, and Facebook to send money or gifts securely to friends with a simple click or swipe.

There are two fundamental government approaches to this market: regulation or market forces. The European Union has followed a path of regulation while the US tends to let the market take its own shape. 

  • Europe started the process with the EU PSD2 (Payment Services Directive) legislation of 2018, which was originally aimed at securing payment services, but activated a new breed of innovative financial service apps. Since it is a directive rather than regulation, iindividual member states could implement the directions in their own manner. 

The UK, as a major financial hub, and bolstered by Brexit took advantage of its freedom and developed the PSD2 principles into its own Open Banking System. This included a requirement for the nine largest UK banks to develop a common API standard which helped open banking to rapidly flourish. The advantages of a flourishing open banking ecosphere are summarised in a December 2022 statement by the UK’s financial conduct authority (FCA). “Fully realised, open banking and then open finance can bring further benefits to consumers and businesses and will help the UK become more competitive and innovative.”

  • Open Banking in the US is an emerging market sector in the US. While it is less advanced than in the UK and EU, it would be wrong to think it is a new idea. The 2016 the Consumer Financial Protection Board wrote, “Whereas once upon a time consumers might have brought a shoebox full of paper to a financial advisor or loan officer, now consumers can accomplish the same thing just by providing access to their digital financial records... This is a world full of new promise, where consumers have the chance to gain the tremendous benefits of ease, speed, convenience, and transparency.” The potential had already been flagged by the Dodd-Frank Act of 2010, which said that consumer transactions including “costs, charges and usage data,” shall be made available in an “electronic form usable by consumers”.

It is the practical difficulties of the disparate nature of a large-scale federal country that has delayed the natural evolution of the market. In 2021, there were 4,236 FDIC-insured commercial banks in the United States (Statista). Developing apps compatible with this amount, or the right selection, of banks is no easy feat. There is no specific guidance or government initiative on open banking in the US. There is no requirement for banks to develop a standard API.

There are no tailored open banking regulations, although open banking operators will be required to abide by various federal and state-level security and privacy requirements. But there is a strong entrepreneurial attitude and a business opportunity – hindered by non-standard APIs and the practical difficulty of writing individual APIs for all the important banks.

The practical problems led to the early use of screen scraping by open banking apps. This is far from perfect. It requires the customer to provide credentials, but without the bank knowing who or what is using those credentials. And it can gather more data than is strictly required for its purpose.

The banks are developing APIs, but screen scraping lingers. Capgemini explained the differences between screen scraping and API-based open banking in March 2022 “Screen scraping is a technology by which a customer provides its banking app login credentials to a third-party provider (TPP). The TPP then sends a software robot to the bank’s app or website to log-in on behalf of the customer and retrieve data and/or initiate a payment... Banks have less control over the data retrieved, which may go beyond account data regulated under PSD2 and may include any customer data available. With an API, banks have greater control to share only the necessary data for the TTP’s service and customers do not need to share any credentials with TPPs.”

There is little doubt the API based approach to open banking will prevail in the US as it does in the UK and EU. This will be more secure than scraping but will take time to set up and will still have security issues.

A partner in Morrison & Foerster’s financial services practice, Trevor Salter, commented “We’ve seen broad progress on technical integration protocols between financial institutions, aggregators, and product providers... Similarly, we’ve seen general alignment on how to make end users aware of how their data will be processed. But in the absence of a government or industry mandate, data can’t flow until financial institutions and aggregators sign an agreement.”

Open banking in the US remains a piecemeal effort while all concerned negotiate bilateral agreements to unlock users’ data. 

Risks Associated With Open Banking

Open banking may offer benefits in the form of convenient access to financial data and services to consumers and streamlining some costs for financial institutions. However, as with any digitally-based service, there is always the potential for data breaches. APIs are not without a certain amount of risk, with most concerns stemming from poor security, hacking, and insider threats.  And so open banking also potentially poses severe risks to financial privacy and the security of consumers' finances, as well as resulting liabilities to financial institutions. 

Open banking security risks, such as the potential for a malicious 3rd party app to clean out a customer's account would be an extreme threat. 

Much broader concerns would simply be data breaches due to poor security, hacking, or insider threats that have become relatively widespread in the modern era, including at financial institutions, and will likely remain commonplace as more data becomes interconnected in more ways. A typical open banking process would now comprise the app developer, a user with the app installed on a mobile phone, an API connecting the app to the bank, and the bank itself. There are several security risks to this type of interconnected process.

  • The app could be compromised before or after installation, or the mobile phone could be hijacked. In either of these cases, the API might work perfectly, and simply connect to the bank and return the requested data. 
  • That data could be accessible yo  a criminal controlling the user’s phone, or it could be passed back to the app provider. The app provider could sell on the data retrieved to other third parties as part of its own business model.
  • Not least, the API could be attacked remotely.

The safety and confidentiality of finances, as well as other personal data, is a top priority both for users and financial institutions. However, as with any digitally-based service, there is always the potential for data breaches. APIs are not without a certain amount of risk, with most concerns stemming from poor security, hacking, and insider threats. 

The existence of malware designed by third-party app providers to infiltrate an account and wipe the data remains an issue as well. There is also the concern of payment service providers mishandling their own customers’ data to gain an advantage in the market. However, open banking uses rigorously tested software and security systems (the Open Banking API security profile is based on Financial Grade API. You’ll never be asked to give access to your bank login details or password to anyone other than your own bank or building society.
Conclusion

The number of banks and building societies that offer open banking is growing. At the moment, only the UK’s nine largest banks and building societies are required to make your data available through open banking. Other smaller banks and building societies can choose to take part in open banking. 

Open Banking is a viable alternative to the current financial system, as it offers many advantages, such as increased convenience, access to a diverse range of financial services, and a network of synergetic third-party applications. But it also has some disadvantages, the security risks of sharing data being the most important drawback. 

It is important to prioritise the protection of customer data above all else, thus harnessing open banking in tandem with strong security protocols and stringent regulatory compliance. 

References:

MoneySavingExpert:   FintechFutures:         

Chakray:  Open Banking:   OpenID

Wikipedia:     Investopedia:   

MoneyHelper:   Open Banking:   

Tibco:    Security Week:    Tibco:     

Image: Ahmad Ardity

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Voters Wide Open To Attack
Elon Musk Withheld Starlink Over Crimea »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Malware.lu

Malware.lu

Malware.lu is a repository of malware and technical analysis. The goal of the project is to provide samples and technical analysis to security researchers.

QuintessenceLabs

QuintessenceLabs

QuintessenceLabs offers a suite of Data Security technology, products and solutions to secure digital information in-transit, at-rest or in-use.

Trulioo

Trulioo

Trulioo is a leading global identity and business verification company providing secure access to data sources worldwide to instantly verify consumers and businesses online.

Nexis

Nexis

Nexis GmbH is a German IT security company specializing in IAM, access control, and risk management.

Buglab

Buglab

The Buglab contest and Vigilante Protocol help companies all over the world to discover and fix vulnerabilities on their digital solutions or assets.

GuardRails

GuardRails

GuardRails provides continuous security feedback that empowers developers to find, fix, and prevent vulnerabilities.

AttackIQ

AttackIQ

AttackIQ delivers continuous validation of your enterprise security program so you can strengthen your security posture and your response capabilities.

InGuardians

InGuardians

InGuardians is an independent information security consulting firm specializing in penetration testing, threat hunting, and hardware hacking.

ITTAS

ITTAS

ITTAS is a multidisciplinary company specializing in information security and software and hardware protection software.

Secureframe

Secureframe

Companies from startups to enterprises use Secureframe to automate SOC 2 and ISO 27001 compliance, complete audits, and continuously monitor their security.

Sollensys

Sollensys

Sollensys is a leader in commercial blockchain applications. Our flagship product, The Blockchain Archive Server™ is the best defense against the devastating financial loss that ransomware causes.

Hadrian

Hadrian

Hadrian is modernizing offensive security practices with automation, making them faster and more scalable. Equipped with the hacker’s perspective, companies can now know what their critical risks are.

European Cybersecurity Competence Centre (ECCC)

European Cybersecurity Competence Centre (ECCC)

The ECCC aims to increase Europe’s cybersecurity capacities and competitiveness, working together with a Network of National Coordination Centres to build a strong cybersecurity Community.

AWARE7

AWARE7

IT security for human and machine. With the help of our products and services, we work with you to increase the IT security level of your organization.

Avalor

Avalor

Avalor are on a mission to help security teams make faster, more accurate decisions by making sense of their data. With Avalor you can bring in data from anywhere, normalize it and analyze it.

Sababa Security

Sababa Security

Sababa Security is the first Italian innovation cyber security vendor, that provides security products, training, and managed services to protect diverse IT and OT environments.