Balance Open Banking Enthusiasm with Caution
Digitalization and Open Banking are two most prominent trends in banking industry in recent time. While the former was initiated by changing customer behavior, the latter was driven by regulatory and market forces.
Open Banking is a new kid on the block with a lot of promise and fanfare, but it can present new challenges for financial services. Rather than being swayed by its exuberance, a cautious approach is required for its implementation.
What is Open Banking?
Banks employ digital and technology initiatives to remove silos, streamline processes and provide a 360-degree view of the customer at the organization level. Open Banking is broadening this vision and taking it a step further.
Until recently, banks are the sole custodian of customer financial data and access to this data was restricted to customers through bank channels. Unlocking this data and sharing it with non-banking partners has the potential to drive more competition and innovation in the financial industry and bring customers to the fore. Open Banking is an attempt to do exactly that.
At its core, Open Banking (OB) is a process of enabling banks or other financial institutions to share customer data with third-party providers (TPP) in a secure way, via application programming interfaces (APIs). Sharing of data happens only when the customer provides explicit consent to do so. It aims to provide customers greater access to, and control over, their banking data.
Sharing financial data with fintech apps is nothing new. It has been implemented using screen-scraping – a method that requires customers to share their banking credentials with a third party. However, this practice is discouraged and even restricted in certain jurisdictions as it poses a range of security risks.
Open Banking Initiatives
Different geographies are taking different approaches to implementing Open Banking.
European Union (EU) and the U.K. took a regulatory-driven approach where they enforced banks to share data through legislation such as PSD2 and GDPR. On the other hand, there is no regulatory mandate for the banks in the U.S. It has been left to the market forces to take this initiative forward.
Fraud Risks & Concerns
Sharing data is a relatively new concept for customers. Less than 20% of the customers are currently aware of open banking and are hesitant to share data due to privacy and security concerns. Even though there is no clear evidence that open banking introduces any new fraud vectors, the volume of fraud has increased, both in terms of numbers and monetary value, due to vulnerabilities exposed in the changing landscape.
In my opinion, open banking presents three major fraud risks.
- Reduced Visibility of Fraudulent Activities: Open banking enables customers to perform banking activities through third-party apps. In this case, banks will have limited exposure to customer activities outside their platform. A partial view of the customer’s digital journey restricts a bank’s ability to detect fraud and lets some fraudulent activities go unnoticed. For example, fraud detection strategies based on login events will become less effective under open banking.
- Multiple Points of Failure: The ability to access customer data through external applications will increase fraud risk exponentially and open multiple points of failure. Fraudsters would be excited to get a holistic view of the customer across portfolios. They can use this information to devise new and more sophisticated frauds. This will give them extra motivation to increase ATO attacks and explore weaknesses in the new layer.
- Fraud Loss Accountability: Traditionally, banks are primarily responsible and liable for customer data and fraud losses. Exposure of data to new parties will make it extremely difficult to determine the true culprit in case of fraud or data breaches, making existing parties reluctant to share data.
Roadmap to Success
To realize the full potential of open banking, a coordinated effort is required to address issues related to security, liability, standards, governance, and communication.
- Standardized API to access banking data. Rather than connecting with multiple banks through their proprietary APIs, fintech should focus on providing innovative solutions at a reduced cost. For simplicity and ease of implementation, the industry should collaborate and develop standards and interfaces to share banking data securely.
- Define a strategy to prevent access through unsecured channels. In the absence of strict regulation, many TPPs continue to rely on screen scraping to get unrestricted access to banks’ customer data. Banks should define a strategy to identify requests through unsecured means and get control over them.
- Develop a comprehensive liability framework where the accountability and liability of each participant’s activities are clearly defined. Each participant should understand that they are liable only for their actions and not for that of others. This will help banks to be more forthcoming in sharing data.
- Authenticate Third Party Providers. Bad actors can pose as a legit third party to gain access to customer data. Right controls should be in place to check the authenticity and eligibility of third parties and the scope of data requested by them.
- Monitor Open Banking Data Points for Fraud Detection. FIs should collect relevant open banking data points to identify events channeled through third-party and use them during fraud detection. This will help identify fraud sources and take corrective measures for fraud and dispute management.
- Build Common Defenses. Open banking is bringing banks, big tech, and fintech closer like never before. Collaborate and develop comment defenses to identify and weed out bad actors.
- Sustained Customer Education. The success of open banking depends on customer engagement and trust. An effort needs to be made to raise awareness about the potential benefits and best practices for sharing financial information safely with third parties.
Open Banking is only the beginning of the new era with ‘Open Finance’ and ‘Open Data’ next in line. If implemented correctly, it has the potential to serve diverse customer needs by providing a robust and sustainable infrastructure where innovation and competition can thrive.
The journey is full of excitement and surprise. Make sure to buckle up and wear all the protective gear to enjoy the ride!