The Ultimate Guide to Open Banking Security
Open banking offers consumers access to new and more competitive financial services. It is fast becoming a worldwide phenomenon. With approximately 12.2 million users in Europe in 2020, forecast to grow to 63.8 million by 2024. But building and maintaining a secure ecosystem will be vital to ensure this growth continues and the system has long-term success.
EY research reveals that of those who have negative opinions about open banking, 48% cited data and cybersecurity concerns as their reasons for those negative opinions.
Security will be a major factor in the future of open banking. In this article, we will discuss the rising concern of security in open banking and what businesses can do to ensure their funds are secure.
Open Banking security: What is the problem?
The challenge for open banking and payment service providers (PSPs) in Europe is to connect around 4,000 ASPSPs (Account Servicing Payment Service Providers) with the fast-growing number of potential open banking partners.
APIs (Application Programming Interfaces) access underpins open banking. Essentially, APIs allow for fast sharing of data and ease of platform connectivity. This helps financial services connect with trusted partners who provide open banking solutions.
However, APIs also present a big challenge from a security perspective. This is true in Europe, which is fragmented,with multiple standards and often bespoke APIs.
There are currently no global consistent security standards to which Third Party Providers (TPPs) adhere, although there are some country specific standards that are broadly robust. Europe has mandated open banking through its payment services directive, also known as PSD2 which was established in September 2019. This framework formalised the relationship between European banks and FinTechs and mandated that European banks must give access to their banking infrastructure regulated TPPs via APIs.
However, there is no universal standardised API in Europe, or in the UK, that these banks must meet. While the PSD2 regulation makes a good start on security, it does not specify details about the APIs. TPPs can create APIs how they wish, with only the technical framework conditions being specified. The clear issue stems from some APIs being developed with a higher priority on security than others. Bad actors will quickly find the weak link in some APIs, and when a sensitive data exchange takes place between clients of a bank and a TPP, there is a ripe opportunity for them to attack.
How can Europe mitigate open banking security risks?
Collaboration and standardisation
PSD2 mandates that TPPs must identify themselves to ASPSPs to gain access to accounts and to connect with banks. The ASPSP then needs to authenticate the payment service user.
When data is being exchanged during this process, personal and financially sensitive information must be kept secure and not be accessible by anyone other than the bank and the TPP. For this to happen, all parties involved must collaborate.
Currently, all TPPs need to be licensed by a European financial services authority. However, banks across the globe are launching their own open Banking APIs without the need for TPPs, which will cause further security gaps due to multiple standards based on individual, organisational security protocols.
To build a secure ecosystem for consumers, collaboration and standardisation need to be a priority for all involved. Not only between banks and their FinTech partners but also between regulators and government agencies.
We may see greater standardisation coming in future as protection against payment fraud is high on the agenda for the PSD3 consultations. The revised directive will possibly look to ensure top-level consumer protection. However, PSD3 is still far off, and will probably come into practice in the next three to five years. There is much work to be done in the meantime.
Another security area that TPPs and banks must improve is transparency. Transparency is paramount to building trust with consumers and creating high-level security protocols.
In Europe, businesses are legally required to inform customers about what their data is being used for, how they can control it, storage procedures and how the business is audited and regulated. There is already a fair amount of regulation around data privacy and an established culture of transparency.
The idea behind open banking is to give customers control over their data, which means they can opt out of these platforms whenever they choose. As such, TPPs and banks should feel encouraged to provide greater data protection for their customers.
Another hurdle to overcome is consumer education. There needs to be collective education about the possibilities that pen banking provides and guidance for how to behave securely when sharing financial assets and personal data with TPPs. But there is the looming question of where the responsibility for this education lies. Is it up to governments and regulators to educate? Or should the responsibility fall on businesses and providers that are bringing open banking products to the market?
Secure Open Banking with Brite Payments – the next generation of payment solutions
Open banking may have some security concerns, but those bringing the products to market can work to minimise the risk. Much of the responsibility to improve open banking security in Europe will fall to regulators to create a standardised API security framework for banks and TPP to adhere to, which we may see come to light in the years ahead.
Brite Instant Payouts is an open banking service that allows you to securely and instantly receive money from your customers in one click, removing risk, improving cash flow, and reducing commission fees. If your business needs to transfer money fast and safely… let’s talk.