Article
Written by Molly Rumbelow
Posted on 03/07/2018

Open Banking: Brave new world or cyber security nightmare?

62 reads

Since the 2008 recession, governments across the globe have been working tirelessly to address the lack of transparency within financial services. In Europe, the result of this work is the creation of the second Payment Services Directory initiative (PSD2) which aims to bring regulation up-to-date with developments in the market and promote further innovation. It also aims to improve consumer protection by making payments more secure and drive down costs. These objectives are underpinned by a comprehensive set of legal requirements set by EU governments.

PSD2 is a key step towards establishing ‘Open Banking’ – a secure way for consumers to give approved providers access to all their financial information, enabling them  to manage their finances in one spot. There’s no denying that this directive is going to change the current banking landscape as we know it – not just for the consumer but in the way the banking infrastructure works as a whole and interacts with other industries too.

Such a broad and complicated change like this brings with it a world of opportunities, but also introduces a new level of risk. Risk that, if not taken into proper consideration, could have an impact on consumers, companies and even governments themselves.

In this series of articles, we’ll be taking a look into these risks, and how to protect consumers and companies alike.  

Who has access to my data?

To start with we’ll take a look into the risks associated with opening up access to bank accounts, and therefore personal data, to third parties via the use of APIs.

At the moment it isn’t easy for consumers to access their current and previous financial history in one place. There are apps out there designed to help with money management, but they currently require consumers to log onto each of their banking systems and allow the app to ‘screen scrape’ the data. However, with the arrival of Open Banking, financial institutions must allow third party companies to access their APIs. This ends the requirement for screen-scraping as direct access to their data can be granted by consumers. 

At first glance it seems that this move will be welcomed by consumers. A recent report by PwC shows that as many as 39% of bank consumers would share their data with other banks and third parties in return for the benefits of viewing their accounts in a single app or having an easier and cleaner way to compare products. But, since this report was published, the topic of data-sharing has become much more controversial. The most obvious and recent example of data being misused is the Facebook/Cambridge Analytica scandal. And to say it’s left a bitter taste in people’s mouths would be putting it mildly.

What protection is already in place?

While GPDR is going to go a long way to curtail malpractice in the cross-sharing of data between companies, the idea that dodgy data selling will be completely eliminated is naive. Both the banks and third-party companies will need to create clear consent strategies and systems so that they can monitor exactly what data consumers have allowed access to, and to whom. 

There is a huge regulatory and legal onus on banks and third-party companies to make sure consumers understand what data will be taken and for what purpose. They also need to allow consumers to quickly and easily take away rights to their data whenever they wish. 

Larger banks such as Lloyds Banking Group will be under scrutiny given the complexity of their legacy systems, so will HSBC due to its international status, and therefore both need to comply with varying levels of legislation. Smaller Fintech firms like Monzo and Atom Bank will also be under a microscope to make sure their infrastructure can remain compliant given their speed of growth. 

Despite the recent data scandals and renewed focus from regulators, banks have been fairly confident that the risk of personal data theft is one they will be able to minimise. 

This confidence may be misplaced however if TSB’s recent example is anything to go by. During its system issues during its migration customers were mistakenly sent other customers’ details, further reducing customer trust in companies’ ability to keep their information secure. 

It’s not just about you…

While personal data may have been taking up the column inches in the news, it’s the transactional data itself, such as bank account numbers and payment details, which could cause catastrophic consequences in the hands of the wrong people. And this is where banks have acknowledged a need to create more comprehensive processes to mitigate the fraud risks that come along with this.  It will take some careful thought, as adding more layers into banking processes means there are more ways that it could become vulnerable and therefore open to manipulation. 

Investment in larger, more focused fraud teams will need to be a key part of an organisation’s strategy going forward. Understanding consumer spending behaviour so that fraud can be easily identified will also require constant attention and innovation. Both the banks themselves and the third parties will need to make sure they have the capability for ‘live’ data mapping, i.e. knowing exactly what data is going where at any given time. 

Staying clued-up about fraud

Whereas the fraud mentioned above relies on finding vulnerabilities in the processing of data itself, mandate fraud relies on the manipulation of consumers. This type of fraud is when someone gets a consumer/business to change a standing order, direct debit or bank transfer mandate so payments are not sent to the intended recipient – but to the fraudsters instead. 

An example of advice on how to counter mandate fraud

Action_Fraud_Flyer.jpg

Mandate fraud  doesn’t just affect the consumer and their bank – the third-party company impersonated by the fraudster could also lose revenue. So, the onus will be on all companies to ensure their consumers, both in the retail and B2B space, are aware of the risks and are educated in how to identify fraudulent requests.

Any clued-up company is going to do all it can to avoid any broad-based change that could be manipulated while Open Banking beds down (e.g. changing bank accounts, payment terms etc). If these types of changes can’t be avoided, then a comprehensive communication strategy needs to be woven into the change process to make sure its colleagues, consumers and suppliers are educated and therefore protected. 

What does the future hold?

If handled correctly, there will be a lot to gain from a more connected and transparent financial landscape. Open banking has the potential to make consumers lives much easier, by helping them to make the most of their money. But, the changes need to be monitored carefully and risks responded to quickly. This will be the key to whether this will be a huge win for the consumer, or a huge headache for their financial security.