Why open banking and cybersecurity need each other
- As banks become more open to third parties, they’re struggling with how much exposure to customer data they create through open systems
- To some extent now banks not only have to demonstrate their trust to consumers, they have to demonstrate it to those third parties
As closed, tightly controlled institutions, banks have done well as guardians and protectors of their customers’ sensitive information. And despite the headlines, data breaches at banks are fairly rare. But as banks open up to third parties, they’re starting to struggle with how much exposure to customer data they create through open systems.
The industry’s desire for greater security and protection of customer data seems at odds with its desire for more open banking; by definition, open banking requires banks to share data with third party service providers. And yet, they require each other to be better, said Raj Bose, global retail banking consulting leader at Genpact. Banks need to be more forthcoming, transparent and accessible with the customer data they keep which presents a challenge for cybersecurity teams.
“Now it’s not just about building a wall and not letting anyone in,” he said. “It’s about building a filter or strainer that lets some things in or out and not other things.”
It’s early days
Open banking opened in the U.K. last weekend as part of a government mandate that lets merchants and retailers retrieve customer account data from the banks (with customers’ permission). In the U.S. banks are striving to get ahead of their own regulators by creating data exchange standards. API-based data sharing agreements like the deals Fincity signed with Wells Fargo and Chase last year are evidence of those efforts. But banks need to move beyond those one-on-one agreements if they’re going to create a full suite of financial services to offer customers through a true open banking platform.
Eventually those types of agreements and the data they feed will be more common, more prolific and more complex — too complex for a single institution to manage. Wells Fargo can probably easily manage data from its Finicity and Xero partnerships, but it will become more complicated when its partnership count rises to, say 20 or 50. Likewise, fintech startups without the resources of a large bank will have more trouble managing 30 banking partners compared to two or three.
It’s likely that whenever the industry reaches that critical mass there will be some kind of secure data switch or hub that emerges as a trusted source with whom banks can share customer data confidently, said Bose.
“It’s kind of like how the credit card association started,” he said. Rather than one bank sharing payments transaction information with another, they put it on a network like Visa or Mastercard, which manages the data even though it doesn’t have a direct connection to either bank and ensures sure it gets from its starting point to its endpoint.
Zelle offers a similar example. The Early Exchange network of banks hangs onto customers’ email address and phone number and facilitates peer-to-peer payments across the banking network rather than having each individual bank set up agreements with 50 others.
“There are some companies starting to think that way but I don’t think this idea is commonly accepted at the moment,” Bose said. “If you think about how other institutions have come up though — while data exchange is an infant, it logically makes sense based on how others have risen up over time.”
The weakest link
Cybersecurity has been a top priority for banks well before the dawn of open banking, but the same isn’t necessarily true of customers.
People are generally are happy to give up some of their personal information if they get some value in return — it’s the implicit agreement consumers make with every service provider they use. Most people who haven’t been a victim of a data breach don’t think twice about it.
“Consumers will always choose the path of least resistance, and if you rely on your consumers to be interested in their best interest when it comes to security, that’s probably not going to happen,” Ryan Fox, director of consumer identity at Capital One, said at an industry conference last year.
But as more breaches become more commonplace, when more people’s credit cards are compromised or their identities are stolen, those events become more tangible to them. The number of breaches in the U.S. has risen steadily since 2011.
People that have grown up with technology and are used to consuming digital innovation have an expectation that data will be in realtime, ubiquitous and secure, said Chris Zingo, Finastra’s managing director of Americas enterprise markets.
“It’s like flipping on a light switch — there’s an expectation the technology will have all the provisions to secure their data,” Zingo said.
Now, those same people and other consumers are taking control of their data, or at least thinking about it and questioning the philosophy around who controls their data (everyone except themselves), particularly after 2017’s massive Equifax breach. Thats the other leg in this, said Mark Atherton, group vice president of Oracle’s financial services global business unit: the sophistication of end customers or users, whether they’re consumers or corporate customers, and how comfortable and casual they choose to become about cybersecurity.
“You’re only as strong as your weakest link, but sometimes the weakest link is the customer,” Atherton said.
The biggest problem
With open banking, banks could be able to sell customers so much more than product-based financial services — as long as they continue to own customers’ trust. Historically, they’ve done that by protecting customers’ financial assets, but data is the new currency, Bose said. People re-examining the value of their data and becoming more selective about when and to whom they share it. How banks handle that remains to be seen.
“The question of trust causes an interesting tension,” he said. “Do customers trust their institution to properly protect their data? Do they want their bank to share their data with other third parties so they can provide interesting things the banks themselves can’t do? People want more value added services, but if they don’t trust you they’re not going to let you have their data.”
To some extent now banks not only have to demonstrate their trust to consumers, they have to demonstrate it to those third parties, he added. A company might Apple could become more discerning about letting users put a credit card into Wallet if a bank has a history of security weaknesses.
“They’re going to have a whole new set of partners and they need to demonstrate trust with them as well,” Bose said.
More than a human can do
Security and fraud have always fallen on the shoulders of banks, even though it’s more often the retailers and online platforms whose systems compromise the data. It’s banks’ biggest area of investment and never ending concern, since fraudsters only get more sophisticated as technology and digital improvement get more sophisticated.
Before the digital era banks could safely bet on where fraud or theft was coming from. With the rise of open banking, the application programming interfaces that allow banks to open up to other developers create more roads to the bank, Atherton said.
“The challenge is there will be more players out there that have a banking relationship and if you’re a bad actor you just have that many more channels to commit fraud on,” he said.
Banks are trying to be smarter and more complete in how they assess threats, respond to them and mediate.
“It’s not good enough anymore to take a percentage of transactions that come through and study them — you have to lookout 100 percent,” he continued. And the rate of data creation is now doubling every two years.
That’s why banks are investing so heavily on artificial intelligence and machine learning, said Atherton. Fraud analysis and risk detection is the top use case for AI technologies at banks, with 14 percent having actually deployed it by now; nine percent of banks are piloting the technology and 23 percent are planning to.
“I see greater emphasis on AI and ML to really help the security professionals,” Bose said. “It’s more than a human can do.”