Open Banking: What Does it Mean for Security?
Written September 28, 2022
This article is Part 1 of KeyData’s Open Banking series.
What is and what is not Open Banking? What does an Open Banking Framework look like? How can we design identity security for open banking?
With share of wallet expanding across different financial institutions in Canada, consumers are choosing to move their money to maximize on value and return of their assets. As funds get disbursed among financial institutions, consumers are spending a considerable amount of time and effort to access each service provider individually. Herein lies, the benefit of open banking.
Think of open banking as an ecosystem that enables secure sharing of consumers' financial data between participants to provide value to them. The Canadian Department of Finance describes it as "A framework where consumers and businesses can authorize third-party financial service providers to access their financial transaction data, using secure online channels." In open banking, financial organizations give providers access to information, opening the way to new products and services that help consumers receive tailored services to meet their needs. And, saving consumers time with access to all their financial data in one place.
Open banking is not yet available in Canada, however it is available in other countries like Australia and the UK. The Government of Canada continues to review the merits of open banking and in a recently released report by its advisory committee, it recommended a formal open banking system to be in place by 2023.
How Open Banking Works
Open banking allows vendors and developers to build applications that can leverage a financial institution’s internal services through application programming interfaces (APIs) so they can offer services that meet customers' needs. Unlike the traditional private and partner APIs used within the banking organization to enhance operational efficiency, open banking leverages open APIs that make data available to third parties. The undertaking works with online and mobile banking to provide apps and web services where users can choose new financial products and services from a wide range of providers.
Open Banking APIs State of the Market Report 2022, which investigates how leading financial institutions "have matured to a platform approach to extend their reach into new markets," reveals that open banking platforms are still evolving and will continue to do so as data sharing has met with suspicion and misunderstanding. Consumers are still getting more comfortable sharing their financial data and require further education. COVID has driven adoption of open banking as more and more consumers want to access services remotely.
There is a lot of potential for open banking in Canada, where financial institutions hold immense power. Since open banking leverages API technology, the Canadian Department of Finance believes that the timely development and implementation of an open API banking standard offer a tool with a tremendous potential to transform competition within banks.
In the UK, open banking was made a regulatory requirement 4 years ago and they have seen a 60% increase in new customers from 2020 to 2021. The momentum continues into 2022 and beyond with 10 – 11% of digitally-enabled consumers now estimated to be active users of at least one open banking service. Open banking payments expected to reach $116B per year by 2026.
Security Risks Around Open Banking
Undoubtedly, open banking has inherent risks. Customers' data processed by financial institutions that have open banking relationships with other services get exposed to third parties. In effect, if the vendor experiences a breach, the incident could expose clients' information to cybercriminals.
Data security, privacy breaches, cybercrime, and fraud remain the most significant concerns with open banking. Indeed, these risks have impacted the financial sector for a long time. Still, open banking potentially magnifies the impact of cybersecurity incidents when they happen, resulting in;
- Substantial financial losses
- Reputational damage
- Erosion of stakeholder trust for banks
The positive aspect of the banking sector, according to previous surveys, is that financial institutions have advanced security requirements in place compared to other businesses. A survey conducted by Deloitte and Touche LLP and the Financial Services Information Sharing and Analysis Center discovered that financial institutions spent 15 percent more protecting their system and networks in 2020 than they spent in 2019. The survey also revealed that cybersecurity spending per employee increased to $2,337 annually, with some banks expected to spend more than $3,000 per employee.
All the same, banks need to reassess their security strategies in the world of open banking. This is not to say that the organizations require new security capabilities. Instead, embracing open banking requires improving the level of coverage and stringency, meaning that financial institutions should review existing security architectures to determine and mitigate risks of external-facing applications and services.
As consumers trust the financial industry with their personal and financial information under open concept models, one crucial security control is to ensure secure identity methods that users need to keep their information safe, forming the next agenda for the event.
Identity Security for Open Banking
User identity and access management is an evolving area that helps organizations understand user behaviours and patterns, grant access, and detect anomalies as they occur. It involves various authentication and identification patterns, which are an integral part of everyday life. Today, digital transformation and the COVID-19 pandemic have accelerated the need for organizations to rethink approaches to enhancing remote identity verification to facilitate safe day-to-day interactions.
By and large, financial institutions have established a trusted position in identity security and management, with successful examples where banks drive the adoption of reliable IAM platforms. As the industry embraces open banking infrastructure, financial service providers can meet the rising demand of IAM platforms by utilizing open banking API-based secure frameworks to allow users to authenticate themselves to third-parties. In other words, financial institutions now require a series of complex checks to validate user identity and grant access to products and services while mitigating privacy and data security challenges.
Example User Journey for purchasing an investment asset
1. A user accesses an application provided by a 3rd party that requires information from their bank account. For example, they are purchasing an investment asset offered by a fintech provider.
2. The application sends an intent for requesting bank account data for the user.
3. The Bank’s authorization server receives the request and requests authentication from the user and their consent to proceed with sharing the bank account data with the application.
4. The user authenticates and grants the consent (e.g., ability for 3rd party application to read account details).
5. After consent is granted, the application requests read access to user account details. The access is given, and the data is shared with the application.
6. The application now has the account details and can continue their process of offering the investment asset.
Want to learn more?
If you are a financial institution looking to mature or simply review your IAM framework to better enable open banking, KeyData can assist you on your IAM journey. KeyData's flagship service is Identity and Access Management (IAM). We concentrate all our efforts on IAM. The KeyData advantage is based on our people and our knowledge. Our team is made up of a highly skilled group of engineers and consultants who specialize in Identity Governance and Administration, Privileged Access Management, Customer Identity and Access Management, and Cloud Security Posture Management. Our team has a strong track record of providing end-to-end IAM services, from requirements gathering and roadmap development to full implementation, training, and managed support. Don't hesitate to get in touch with us right away for a free initial consultation.