I found it to be a change in mindset.
What have we all heard for years?
"Don’t ever give out your passwords. Keep your account details private and secure."
And now, what is the messaging around Open Banking?
"Trust Third Party Providers with your bank information."
Once however, it's rinsed, repeated, studied and sculpted, we can see that Open Banking is secure for consumers. The irony being that it is far more secure than some technologies that are prevalent today.
Think of it this way. How secure is contactless? How about screen-scraping?
To get us thinking around security in Open Banking, I have below outlined six reasons why consumers can consider it secure. Prime amongst these is that it uses bank-level security and does not require forfeiture of your bank log-in details.
So that’s an immediate improvement.
Cybersecurity continues to grow as one of the most negatively impactful forces in modern-day society. Banks and financial institutions direct untold money and resources to stop criminals infiltrating their defences.
For that reason, there has been some reticence about the adoption of Open Banking from security professionals. Opening up bank data to FinTechs and the customers themselves “increases their attack surface” - that is, there is more avenues for criminals, fraudsters or spammers to get in through.
One does not need to search far to see the crippling effects that viruses, denial of service attacks, phishing, keylogging, man in the middle attacks and others can have. The FCA has reported that financial institutions in the UK have reported an 80% increase in cyberattacks in 2017 compared to 2016.
An April 2018 study found that “46% of people are concerned about the security implications of open banking-enabled solutions, including theft and data breaches.” The UK Office of National Statistics calculates that 2 in 5 businesses have been affected by cybercrime, with an average cost of £3,000 to each business.
For that reason, it should be unsurprising that cybercrime makes consumers wary of using Open Banking.
The Six Reasons To Trust Open Banking
5. Opportunity or Drawback
For those who fear the risk of potential cybercrime through Open Banking, there is one failsafe method, which is to not use it. The two key tenets at the heart of Open Banking is customer-centricity and security. Open Banking has, therefore, been built to ensure that express permissions are required at each stage of a customer’s journey, to optimise for both customer-centricity and security. At any time, a consumer can revoke their consent and Open Banking will cease to be for them. For customers that deem to go ahead with Open Banking and use apps that require continuous access to accounts (such as account aggregators), consent is required on an ongoing process.
One distinct advantage that Open Banking has over predecessor technologies is that it is far more secure. In accessing Open Banking technology, customers are directed to their own bank’s login page, which is the only place where they enter their details. In previous technologies, usernames and passwords were submitted to companies who then posed as the customer to access data on an ongoing basis.
Having logged into their internet banking, Third Party Providers (TPPs) are then granted read-only access to customer data. At no point is it possible for any data to be manipulated. No payments can be made without the customers’ direct knowledge and assent.
This is of course, closely linked to the General Data Protection Regulations (GDPR) which gives individuals far more control over their own personal data. For this reason, any TPP who accesses a customer’s data – with their consent – must stipulate what the data is used for and how it will be held. Customers, as stated, can revoke this assent at any point.
Banks and financial institutions will only share the information that consumers have agreed to share, and no more. For example, if a TPP requests access to account balance and transactions, they will not be given lists of standing orders or direct debits. Open Banking takes place within full compliance of GDPR.
One reason that consumers should feel safe in their use of Open Banking is that TPPs who wish to join the ecosystem, must be regulated and licensed by the FCA. This is a strict process and ensures that all firms who are offering Account Information Services (AIS) or Payment Initiation Services (PIS) are fully accountable. A full checklist of how a firm becomes regulated can be found on the Open Banking Implementation Entity (OBIE) website.
5. Opportunity or Drawback
Understanding that security is only as strong as its weakest point does not have to be a drawback for banks in their fight against fraud and cybercrime. Open Banking has rightly raised a number of questions from experts. Having listened to queries and concerns, financial institutions can take the opportunity to remedy them, thus turning potential weaknesses into a strength.
As we wrote in an accompanying piece last week:
"The UK has adopted OAuth 2.0 security to ensure transactions between banks and TPP’s are secure and cannot be hacked. OAuth 2.0 is industry-recognised and widely used as a secure method for securing digital identities. OAuth 2.0 is a protocol that allows applications limited access to user accounts on an HTTP provider, such as Facebook. However, at the same time, it only supports those service providers that are regulated by the FCA.
"Security has therefore been built into the heart of Open Banking. By only granting API access to a limited volume of actors who are all authorised by the FCA, and using OAuth 2.0 encryption, the ecosystem has been deliberately stringent in their security needs. Perhaps most importantly for the customer however, is that Open Banking is never opt-in, and nothing will ever happen without their express consent. This is critical to giving consumers clarity and confidence in the system."
We'll tackle the issue formally at a later stage, but it could well be that the biggest challenge to thinking about Open Banking is the mindset that we “are giving away our data”.
It is for this reason that we are inclined to worry about the security implications of Open Banking.
But once we ‘look under the bonnet’ we can see that Open Banking has been built sensitively towards security concerns. The FCA and OBIE have very deliberately built in the fact that providers must be regulated by the FCA and their details searchable on the respective websites, as well as building the platform on OAuth2 security, and requiring consumers express consent to continue to at all stages of the journey. All of these factors combined should instil confidence in the system
When this is fused with GDPR regulations, we can see that consumers have far more control over their data than ever before. Where banks or financial institutions have identified potential weaknesses, they have had an opportunity to upgrade or improve their procedures - this is also to be welcomed.