How to Secure Open Banking
Written October 12, 2022
This post is part 2 of KeyData’s Open Banking article series.
In part 1 of the series, we introduced open banking, covering areas such as the state of open banking in Canada, industry insights, security risks around the open banking framework, and identity security for open banking. This article will look at ways to secure open banking, drawing attention to approaches to securing open banking and some of the open banking security standards.
As we mentioned in part 1, open banking is rapidly becoming a global phenomenon as open banking platforms and infrastructure keep growing worldwide. Banks are opening APIs for FinTech to access and integrate with client data for improved customer experiences. What’s more, the open banking trend results in an expansion of the banking ecosystem and an immediate revenue increase for financial service providers.
What are the Open Banking requirements?
Open Banking provides a way for users to share their account data with TPPs through APIs. Several requirements need to be met to secure this transaction, including:
- Authorization and Consent: Users need to authorize TPPs to request account data on their behalf. They must also be able to revoke consent granted to TPPs when they want.
- Authentication: User authentication with the bank must support multiple factors. Mutual authentication between TPPs and Bank is required.
- Data Access: Bank APIs must be protected and demand user consent for a TPP to request access. All requests by TPPs may contain addition security parameters and follow standards to create a trust with the Bank.
Open Banking Framework Brings Significant Risks
Undoubtedly, the open banking ecosystem is only in the first stages of opening in Canada, and it’s snowballing. Open banking initiatives, such as the Canadian Government’s Advisory Committee on Open Banking, propose banks adopt an open framework to allow tightly-controlled third-party providers (TPPs) to integrate with them. With such an interface, TPPs can access customer bank information, accounts, initiate payments, and perform other activities to improve customer experience.
However, this paradigm towards an open banking ecosystem belies an essential fact that banks cannot afford to overlook. Introducing TPPs through open banking initiatives disrupts the online banking journey positively but also introduces adverse impacts. Bank data is undoubtedly a sensitive point of interaction with inherent cyber threats. Open banking relationships typically expose confidential and sensitive customer data to third parties’ risks, including data security, privacy breaches, cybercrime, and fraud. Such cybersecurity threats have impacted the financial sector for quite some time, and open banking potentially expands the attack surfaces and magnifies the impact of cybersecurity incidents. The concept leaves scarce security teams stretched thin. When a cyber incident occurs, it results in substantial financial losses, reputational damage, and erosion of stakeholder trust for financial service providers.
Mitigating Risks with Open Banking
How can we provide an open banking ecosystem while maintaining data security and privacy? How do we enable users to grant consent to TPPs securely for accessing their account data securely? What are the leading-edge bank-grade security standards and approaches that we can leverage to ensure financial services providers improve their security postures and meet stringent regulations in an open banking setup?
There is a wide range of open banking security standards and controls that financial service providers can leverage to protect sensitive information, authenticate TPPs, and share authorizations among players in the new banking ecosystem while providing an improved end-user experience.
What Open Banking Security Standards Can We Leverage?
Are banks ensuring security and meeting their regulatory compliance commitments, or are they just pushing their API agendas and competitive products through open API models? Financial institutions need to secure the new paradigm to achieve reliable, competitive services and improve revenues through open banking. As open banking stakeholders create different API standards to secure and evolve the ecosystem, they can adopt the following standards to control activities like data sharing, authentication, authorization, and credential delegation.
Mutual Authentication over Transport Layer Security (mTLS) ensures that parties use an encrypted TLS session to authenticate each other and prove who they are by presenting and validating certificates. Banks and TPPs must support the mTLS standard as it effectively mitigates cybersecurity threats, including man-in-the-middle, replay, and spoofing attacks.
mTLS is a sliver of the full scope, as there are other standards for the same reason. The EU standard for electronic identification, the electronic Identification, Authentication, and Trust Services (eIDAS), comes a close second. eIDAS certificates are a critical part of the identity and access management protocols that govern secure data exchange between open banking ecosystem participants. In other words, the standard is integral to consent journeys involving sharing sensitive financial information. Identity solution providers work with various technologies to implement eIDAS and other standards, which are mainly frameworks requiring actual products and implementation to protect digital identities in open banking.
OAuth 2.0 is a leading standard in that supports a wide array of initiatives, including open banking, whereby a user can allow any third party to act on their behalf for accessing information. The standard requires using an OAuth access token instead of usernames and passwords to enable financial service providers to share information securely. In other words, once a customer authorizes a TPP, the service provider can access sensitive data and interact with their bank accounts through APIs provided by their banks.
OAuth solution allows for supporting the use case of sharing bank account information but falls short of enabling other use cases for payment transactions without the help of extra security and features provided by OpenID Connect.
OpenID Connect (OIDC) standard
is built on top of OAuth for delegated authentication. The model enables a relying party (TPPs), a participant delegating authentication to an OpenID provider (service provider responsible for authenticating end users/account holders), to defer to an identity provider to authenticate users.
TPPs receives an identity token to assert a user’s identity and for the purpose of Open Banking, that token can consist of user banking information (e.g. bank account numbers) that allows for the payment use cases to be supported.
We can go even further and implement the Financial-grade API (FAPI)
on top of OpenID Connect to provide extra security for open banking ecosystem participants. Financial service providers can use the draft standard to configure financial API security solutions. FAPI defines recommended flows, configuration parameters, and signing and encryption algorithms for OAuth and ODIC implementations, thereby improving security and mitigating prevalent cyber risks and attacks.
Open Banking Security Strategy
Apart from open banking security standards, what are some of the techniques and approaches for implementing a secure open banking ecosystem?
Transparency and Encryption
As the name suggests, openness is a significant force in the open banking ecosystem. The new paradigm offers consumers greater control of their data, allowing them to gain a deeper understanding of the ecosystem’s benefits. Open banking participants can develop trust with consumers through transparency. Besides, it is a regulatory requirement for banks and TPPs to inform customers about what their information is being used for and how they can control it.
Transparency applies between data subjects and financial service providers. The reverse of this requirement is encryption that protects sensitive information being shared between service providers in the open banking ecosystem. Encryption protects sensitive information from cyberattacks when in transmission or storage.
AI for Smarter Cybersecurity
Open banking participants can employ artificial intelligence in transaction monitoring to spot and flag suspicious activities among millions of payments and other transactions every day. Also, open banking systems broaden the pool of data and provide clients’ profiles across several institutions. Such a setup improves the AI’s capabilities to detect and flag unfamiliar activities, resulting in secure banking for depositors and improved regulatory compliance.
Authorization and Authentication
Open banking can collaborate with strong regulatory authorities to ensure that any apps or services requesting sensitive financial and personal information can be trusted. Government of Canada Standards on APIs provides guidelines on standardizing APIs to better support integrated digital processes across entities. Such regulatory bodies reassure consumers and allow them to check the authenticity of apps and services requesting their bank data. Open banking ecosystem participants can also implement multifactor authentication that adds another security layer.
Banks and TPPs can partner with cybersecurity leaders like KeyData to implement robust authorization and authentication solutions. Open banking participants can deploy a risk-based framework and unique methodology, along with cybersecurity expertise and experience in areas of identity access management (IAM), privileged account management (PAM), and customer identity access management (CIAM), enabling the financial sector transformation through system integration services.
Proactive Cybersecurity through Collaborative Intelligence
Threat intelligence in the open banking model can help the industry proactively detect threats and hunt through systems for prevalent and emerging vulnerabilities. This control flags issues before cybercriminals gain the upper hand. With many players in the ecosystem, participants can share more data and insights, improving the financial sector’s effectiveness in taking the fight to hostile attackers rather than passively waiting to respond to cyber incidents.
Ultimately, securing open banking is mutually beneficial for the entire digital banking ecosystem. Secure open APIs offer platforms drive collaboration and information sharing between banks and TPPs, even competitors, to create reliable financial service infrastructure for consumers. Despite the inherent cybersecurity risks in sensitive banking sector touchpoints, open banking participants can leverage the above standards and controls to improve security and ensure every stakeholder plays by the same rules. Besides providing security and data privacy, open banking security standards and approaches allow companies to focus on innovation and improve customer-facing products by freeing their resources from noncompetitive activities.
Contact KeyData today to learn more about Open Banking and to ensure you have the right identity solution in place to support your open banking initiative.