When it comes to fighting financial misconduct, open banking has a light and a dark side. It has the potential to help fight criminals, and to be exploited by them.
If banks and financial technology firms (fintechs) are alert to the dangers, and use sophisticated prevention techniques, open banking could help them tackle fraud, money laundering, terrorist financing and other crimes. If they are behind the curve, it could amplify the threats.
The European Union’s PSD2 payment services directive started three years ago. Its goal is to level the playing field for customers by giving third parties digital access to bank infrastructure, and account data from consenting customers. Fintechs can then use that information to provide services such as loans, budgeting advice, investment and payments.
Open banking is designed to be safer than other forms of banking, with secure authentication for every transaction. But it also opens more points of attack for financial criminals who could target the weakest link in the chain.
Most regulation on open banking has so far been in the EU and UK. The US does not yet have such data sharing rules. However, progress in Europe and the explosion of fintechs in America should encourage US banks to adopt similar principles in time.
In Europe, some banks are advanced in their open banking strategies, others are lagging; but the EU is generally a few months behind the UK.
Open banking interactions happen through application programming interfaces (APIs), which should provide standardised access to account data. However, standards vary between countries and implementation has been patchy.
The safety and efficacy of each API and ecosystem depend on incentives, regulation, technical abilities, local market forces, support structures, and consumer attitudes to privacy and security.
PSD2 does not set specific technical standards for open banking APIs, so individual countries have created their own. But in the UK, the Open Banking Implementation Entity does specify detailed technical API requirements.
One problem is that quality and reliability can suffer when banks build APIs for compliance rather than revenue-generation. Those that build high-quality APIs can make them safer and more commercially useful.
Dev Odedra, anti-money laundering (AML) expert, director, Minerva Stratagem Consulting, said the adoption of opening banking has been slow but is speeding up.
‘So far, it is hard to find examples of open banking being used to facilitate financial crime,’ he said. ‘I have been unable to find any official reports or data referring to it as the attack vector. However, there is potential for fraudsters to target and abuse this new channel. For example, when customers use open banking via third-party apps, transactions may be one step removed from their bank.
‘A fraudster who gained access this way could initiate transactions via that app rather than via their bank. The bank has less visibility around the activity because it is only involved in the execution rather than the original transaction.’
Odedra said central access to a victim’s finances via open banking could also give criminals access to their other accounts.
‘The reduced direct interaction between the customer and the bank may also mean it has fewer insights into customer information such as internet protocol (IP) addresses, which can be used to detect fraud,’ he said.
These threats are important given the increased prevalence of cybersecurity over the last 18 months. Banks may therefore need to think about whether and how their transaction monitoring systems guard against the threats posed by open banking, said Odedra.
Perhaps the biggest concern with open banking is the size of the connected ecosystem it creates, including data providers, third-party providers, regulators and government agencies.
Criminals are adept at targeting any weak link in a chain and mining every account they infiltrate for personal information. As all these services connect via one technology — APIs — the initial KYC check becomes critical.
This creates a severe challenge for AML compliance, and makes security and data protection hygiene increasingly important for all participants. Each organisation must avoid simply relying on data from other trusted sources and, instead, take its own responsibility for risk management and fraud prevention.
According to an article by ChargebackGurus, the dangers are already becoming reality.
‘While PSD2 intends communications involving customer data to be secured properly, banks can do little about the fraud threats that are developing in response to this disruptive new standard,’ it said.
‘Before open banking, banks could restrict the outflow of customer data, so were fully empowered to protect it. Now they cannot protect customer data that third-party providers have accessed. So banks are under pressure to increase monitoring for fraudulent transactions.’
Financial institutions need to make sure they only give access and data to legitimate and regulated third parties. They must also ensure strong transaction monitoring, API security, and customer authentication. Enhanced due diligence, adverse media screening and other onboarding security tools are also becoming an essential way to bolster KYC processes.
The UK is looking to take the lead on open banking security by supporting its participants. According to Open Banking, the UK’s infrastructure is designed to have safety at its core, using secure APIs, encrypted data transfer and reduced information sharing.
It recognises that, as the ecosystem grows, scammers will target participants and customers. To counter this, it has made resources available to help players implement best practice controls. These include a guide, self-assessment tool, and working group, all focused on security and counter-fraud.
The good news is banks and fintechs are well-placed to use the interconnectivity that open banking brings to detect and prevent crimes collaboratively.
This will help providers segregate risk types by understanding fraud, AML and counterterrorist financing information, helping them fight these crimes more efficiently — and make services more streamlined at the same time. For example, it should remove the need for customers to duplicate entry of know your customer (KYC) information as one provider can access it from another.
It also means banks can pre-authorise customers for a host of financial products, and run enhanced customer due diligence (CDD) checks upfront, which eases the customer journey.
Sharing customers’ financial and personal information also allows providers to create identity networks and hubs that leverage existing KYC and CDD to help prove peoples’ identities. It enables them to conduct digital account checks and quickly access the source of funds, proof of income, and other relevant data. Plus, it should also enable them to use intelligent data analysis to identify possible fraud patterns.
Third-party services also aim to decouple KYC from financial information to ensure ID data is kept securely elsewhere.
Open banking players need to get this right. PSD2 allows regulators to heavily penalise companies that fail to maintain their data security as part of the open banking ecosystem.
Furthermore, failure could give open banking a bad name. People could start refusing to share their data, and the huge potential benefits of sharing data could be lost.
Open banking has so many potential positives for customers and providers. So providers need to protect these benefits by putting solid protections in place as early as possible.