Technical controls and considerations for a secure open bank

Open banking has the potential to usher in a whole new era of financial services. The prospect of democratised data across banks and unaffiliated parties could mean new and personalised products and services for customers, new revenue streams for banks and a sustainable service model for traditionally underserved markets.

But the success of open banking hinges on the capabilities of FSI’s cybersecurity partner, and customers’ willingness to embrace it. After all, the concept pivots on the seamless and secure sharing of large volumes of customer data across intelligent application programming interfaces (APIs). Cybersecurity and data privacy are thus a critical concern, with 48% citing it as a reason for their wariness of open banking.¹

This concern is with good reason. The introduction of open banking will widen the industry’s attack surface: from 2017 to 2018, 463.3 million attacks were aimed at financial services APIs; in 2018, 81% of open banking related breaches happened due to stolen or weak passwords; and crucially, banking data in the hands of fintechs and third parties with weaker security standards make them prime targets for cybercriminals.²

To mitigate the risks of such a banking model, many countries around the world have put in place regulations to protect personal data and standardise the way banks and third-party providers (TPPs) handle open banking. The particularities differ from region to region, but it is imperative to heed some of the core principles across these mandates to ensure that open banking is implemented safely and effectively for all parties – for the good of customers and for FSIs.

1. Make sure users are who they say they are

According to a report³, 80% of all hacking-related breaches leveraged either stolen and/or weak passwords, a trend that continues through 2020 in the FSI space⁴.

This highlights the pressing need for banks, fintechs and TPPs to step up their authentication controls. Before granting access to their system, players need to ensure that non-affiliate partners and individual users are who they say they are. The technology for doing so already exists – in fact, some regulations mandate that user authentication includes a minimum of two factors, influencing the rise of one-time passcodes (OTPs) via SMS or email, multi-factor authentication and biometrics.

2. Consent is key

FSIs are obligated under Singapore’s Personal Data Protection Regulations (PDPR) and Hong Kong’s Personal Data Protection Ordinance (PDPO) to respect customer rights and privileges. Gone are the days of unfettered data collection and use – now data can only be shared under the explicit consent of the user, with proposed amendments to PDPO even specifying a clear data retention period to bring it in line with international standards. In Singapore, FSIs are further obligated under the Technology Risk Management (TRM) notices, which require banks to put in place IT controls to prevent the unauthorised access or disclosure of customer information.

Various controls do exist. Popular in the industry are OpenID and OAuth2 for sure authentication and authorisation across sites. These do not protect against all vulnerabilities such as phishing, but can be enhanced with extra modules like mutual Transport Layer Security (TLS) or Proof Key for Code Exchange (PKCE) to prevent malicious actors from getting a foot in the door.

3. Secure transactions in all states

A key feature of open banking is the sharing of customers’ personal or business current account information across entities. This means opening up communication portals and customer account details through APIs and to TPPs that sit outside the banks’ secure perimeter. This makes data susceptible to compromise during transit, at-rest or in-use, especially if security protocols at TPPs are not clear. The stickler? Banks may still be responsible for any exposure of data.

Beginning with rigorous Know Your Customer (KYC) protocols, banks also need to establish a secure foundation – building robust networks and communication channels with a trusted provider. Transaction monitoring enabled by artificial intelligence and machine learning can keep FSIs on top of suspicious activity, while encryption technologies can keep data in transmission or in storage indecipherable to malicious actors. Most importantly, all players in the open banking ecosystem should promote communication and collaboration to collectively protect the data that is so key to the success of open banking.

4. Protect vulnerable APIs

APIs are the core of open banking initiatives, which power and enables the exchange of data between banks and non-affiliate institutions. There is a dark side – APIs can also expose the inner workings of applications and sensitive information. By 2022, Gartner predicts that API abuses will become the most frequent attack vector. In fact, Capital One fell prey to an API-related breach in 2019 that cost the information of 100 million customers.

Strong customer authentication already forms part of the solution. To further manage, Singapore’s regulators recommend maintaining FSI risk catalogues across APIs, while other international guidelines point to specialist counter-fraud operations.

5. Adhere to existing security standards

FSIs are familiar with existing security standards and regulations, some of which explicity lay out guidelines for open banking. Developed by MAS and the Association of Banks in Singapore (ABS), Singapore’s API Playbook calls out ISO27001, ISO22301 standards which can be used to secure assets exchanged on APIs and stored in hosting environments and ensures business continuity in case of disruption. PCI DSS lays out further guidelines for payments firms.

Compliance continues to be critical and lays a solid foundation upon which to build up open banking safeguards for a secure and effective implementation.

Implementing open banking security controls may seem like a daunting task, but they are essential to realising its true potential to accelerate innovation and deliver new and better ways of banking to customers. This is a new and exciting field – businesses should consider a partner with broad cybersecurity expertise and deep financial services industry knowledge to help to navigate the regulations and requirements with greater ease and confidence, and make open banking a reality.

Let us help with your open banking initatives.
 

¹ Ernst & Young, Five approaches to secure open banking, 2019.

² PYMNTS, Deep dive: Reducing the security risks of open banking, 2020.

³ LastPass, Passwords are still a problem, 2019.

⁴ 2020 Data Breach investigations report, 2020.