Vaclav Maska at HID Global explains how new opportunities can be unlocked by going beyond regulations.
It is no understatement to say that open banking is transforming the way that financial institutions operate — and the way consumers move and use money. By empowering banks to share account information in a secure, standardised format with other authorised organisations, open banking is increasing transparency, facilitating collaboration and opening up new product opportunities.
While most of the world is striving to meet the so called “European standard for open banking” and aspire to implement directives similar to the Revised Payment Services Directive (PSD2), it is important to realise that Open Banking is still at a very early stage and is unfolding unevenly across Europe.
APIs are the technical foundation of the Open Banking ecosystem. Unfortunately, there are currently hundreds of open banking API platforms in the market, slowing the ecosystem’s growth and making it more difficult to protect transactions against increasingly sophisticated attacks. Attempts to standardise these protocols are underway but have thus far been limited to a regional basis.
The UK is still one of the largest providers of worldwide financial services and its nine largest banks had application programming interfaces (API) in place already back in 2018. Banks on the European continent, by contrast, didn’t launch them until September 2019. Adoption rates throughout the Nordic region are high — especially in Norway, where the Nordic API Gateway, now called Aiia, enjoys a penetration rate of 95% among retail and business accounts. In Germany, reports suggest that most APIs either don’t work, time out or make integration near impossible; this makes for an interesting challenge to say the least.
Open banking implementation is highly influenced by the culture or mindset locally. Look at Germany for example, it is a country known for being innovative, especially in the automotive industry where most of the patent applications are made; however, the banking sector is notoriously conservative and few customers want to see their bank take big risks. The theory behind why Germans are facing the API challenges mentioned above could be rooted in the idea that they were being implemented to answer to a regulation as opposed to being linked to revenue generation.
The true justifiable reward
Open banking has further enabled the fintech industry around the world and supports competition by giving consumers the opportunity to pick convenience instead of feeling stuck with one bank. And yes, open banking can be seen as a disrupter to incumbent banks but it could be argued that this disruption would have come either way. There seems to be a consensus that standing still isn’t an option.
Regulatory trends such as the PSD2 have already been pushing banks to focus on automation, advanced analytics and security protocol to see productivity gains within payments. One requirement that benefits all parties involved is the Strong Customer Authentication (SCA) workflow as articulated in article four (30) by the European Banking Authority (EBA).
Implementing SCA requirements means that only using out of band (OOB) one-time passwords (OTP) sent by SMS or email will no longer be enough, something that many banks are still using today.
Secure codes or OTP sent through OOB are still widely used today and whilst many argue its validity to quality as part of the SCA workflow, according to Ecommerce Europe, it qualifies as the “possession” factor and would be a valid part of SCA if combined with a “knowledge” and or an “inherence” factor. However, without conforming to dynamic linking, it still poses a risk and could be compromised by way of a man-in-the-middle attack.
OOB authentication is a highly insecure method that can easily be breached. OTP secure codes provided through offline authentication – or simply moving to a push notification solution – is a much better alternative that remains compliant with SCA in regard to challenge/response and it offers a seamless journey to consumers. The big difference here is that those alternatives are secure and offer a full context with details on the transaction being authorised. It ensures that data and financial assets aren’t put at risk, which can come at a high cost to financial institutions who don’t take this seriously. This is where security and consumer experience go hand-in-hand.
Ensuring worldwide security
Ensuring security is another major challenge of open banking. Transactions can only take place with customer consent, and banks must be able to verify that people are who they claim to be. In this ecosystem, the responsibility for authentication and identity management rests solely with the account-holding banks. Banks have long understood the need to authenticate users and sign transactions; they are parlaying this knowledge into building more secure API environments.
Regulations have evolved in tandem with open banking developments to reduce risk and protect against fraud around the world. The financial industry however stands at an inflection point. As offerings expand and consumers demand more customisation, choice and control the companies that win will be those that go beyond regulations to align with customer needs.
To find out more information, visit: https://www.hidglobal.com/
This article was originally published in the November edition of Security Journal UK. To get your FREE digital copy, visit: digital.securityjournaluk.com