Banks must ensure their security keeps pace with Open Banking regulations in order to maintain customer trust.
Understandably, customers may have reservations when it comes to sharing their data via Open Banking. It is therefore important that financial services organisations communicate what has been done to ensure that security is paramount.
Accessing open banking APIs is only possible for the apps that have been authorised by the FCA, with the APIs themselves subject to rigorous testing. Furthermore, the transfer of customer data must be authorised by the user and cannot happen without their consent.
Open banking regulations, such as the European PSD2, and other privacy laws, including GDPR, are designed to further protect customer privacy.
While attacks on APIs and applications are impossible to totally rule out, Open Banking is essentially no less secure than online banking.
Jacquelyn Painter, Senior Manager, Solutions Product Marketing for Financial Services at Okta explains that customer control is at the heart of Open Banking security:
"Security was what PSD2 was really looking at when you talk about Open Banking and giving customers control of their data. We see this outside of banking as well. Consumers are the new perimeter in terms of security. It's really about securing that identity because a lot of people don't know the best practices. It really has to be on the bank to look at what consumers. They are this new identity, especially with Open Banking and being in control of their data.
"What do they implement to make sure that that's secure? One aspect of it is when you're opening up these Open Banking APIs, you need to be able to give a level of detail, fine grained authorisation, on what information they're willing to share. So, if I am using an application or a vendor that takes all of my bank accounts and puts it into their platform, so that I have one view of my finances, I should be able to pick what I want to be able to share within each of these bank accounts at a granular level."
Secure by design
It is important for organisations to review their security architecture to ensure it keeps pace with developments in Open Banking, with tools such as customer identity and access management useful for bolstering security. Furthermore, ensuring privacy and transparency are baked into product design is vital for retaining customer trust.
Painter is an advocate of the secure by design approach:
"Identity is a crucial part of this puzzle as the consumer's identity needs to be secure. There's also customer data privacy that must be enforced and there needs to be very strict controls in terms of how that data is shared and how the consumer is giving approval in the first place. Furthermore, you should go beyond that when you make a transaction or you are authenticating into an application, to ensure that strong measures are in place and fraudulent activity isn't happening. But, when you're creating these extra security measures, they need to be frictionless because consumers don't want to always be asked to type in a password or an answer to a question."
Ensuring that security is of the highest standard may mean playing to the strengths of partners, often from industries outside of financial services.
For example, last year fine-grained authorisation and governance solution provider Cloudentity announced it was partnering with API integration platform provider Axway on zero trust authorisation for Open Banking services.
For Painter, it's about collaboration:
"As banks, especially these bigger institutions, look to go beyond Open Banking and towards Open Finance, embedded finance and this Open Economy concept, they do need guidance. We've had customers say to us before, ‘we started building this on our own but now we need help as we're not in the identity business, we're not in the security business, we're in the banking business'. So, it's very hard for them to keep up with the evolving mandates and regulations and security enhancements that are needed."
To find out more about the opportunities, challenges and future of Open Banking, read Computing's full report on the topic.
This content is sponsored by Okta