Why open banking and cybersecurity need each other

  • As banks become more open to third parties, they’re struggling with how much exposure to customer data they create through open systems
  • To some extent now banks not only have to demonstrate their trust to consumers, they have to demonstrate it to those third parties

Email a Friend

Why open banking and cybersecurity need each other
As closed, tightly controlled institutions, banks have done well as guardians and protectors of their customers’ sensitive information. And despite the headlines, data breaches at banks are fairly rare. But as banks open up to third parties, they're starting to struggle with how much exposure to customer data they create through open systems. The industry’s desire for greater security and protection of customer data seems at odds with its desire for more open banking; by definition, open banking requires banks to share data with third party service providers. And yet, they require each other to be better, said Raj Bose, global retail banking consulting leader at Genpact. Banks need to be more forthcoming, transparent and accessible with the customer data they keep which presents a challenge for cybersecurity teams. “Now it’s not just about building a wall and not letting anyone in,” he said. “It’s about building a filter or strainer that lets some things in or out and not other things.” It’s early days  Open banking opened in the U.K. last weekend as part of a government mandate that lets merchants and retailers retrieve customer account data from the banks (with customers’ permission). In the U.S. banks are striving to get ahead of their own regulators by creating data exchange standards. API-based data sharing agreements like the deals Fincity signed with Wells Fargo and Chase last year are evidence of those efforts. But banks need to move beyond those one-on-one agreements if they’re going to create a full suite of financial services to offer customers through a true open banking platform. Eventually those types of agreements and the data they feed will be more common, more prolific and more complex — too complex for a single institution to manage. Wells Fargo can probably easily manage data from its Finicity and Xero partnerships, but it will become more complicated when its partnership count rises to, say 20 or 50. Likewise, fintech startups without the resources of a large bank will have more trouble managing 30 banking partners compared to two or three. It’s likely that whenever the industry reaches that critical mass there will be some kind of secure data switch or hub that emerges as a trusted source with whom banks can share customer data confidently, said Bose. “It’s kind of like how the credit card association started,” he said. Rather than one bank sharing payments transaction information with another, they put it on a network like Visa or Mastercard, which manages the data even though it doesn't have a direct connection to either bank and ensures sure it gets from its starting point to its endpoint. Zelle offers a similar example. The Early Exchange network of banks hangs onto customers’ email address and phone number and facilitates peer-to-peer payments across the banking network rather than having each individual bank set up agreements with 50 others. “There are some companies starting to think that way but I don’t think this idea is commonly accepted at the moment,” Bose said. “If you think about how other institutions have come up though — while data exchange is an infant, it logically makes sense based on how others have risen up over time.” The weakest link Cybersecurity has been a top priority for banks well before the dawn of open banking, but the same isn’t necessarily true of customers. People are generally are happy to give up some of their personal information if they get some value in return — it’s the implicit agreement consumers make with every service provider they use. Most people who haven't been a victim of a data breach don't think twice about it. “Consumers will always choose the path of least resistance, and if you rely on your consumers to be interested in their best interest when it comes to security, that’s probably not going to happen,” Ryan Fox, director of consumer identity at Capital One, said at an industry conference last year. But as more breaches become more commonplace, when more people’s credit cards are compromised or their identities are stolen, those events become more tangible to them. The number of breaches in the U.S. has risen steadily since 2011. annual-number-of-data-breaches-exposed-records-2005-2014-statista People that have grown up with technology and are used to consuming digital innovation have an expectation that data will be in realtime, ubiquitous and secure, said Chris Zingo, Finastra’s managing director of Americas enterprise markets. “It’s like flipping on a light switch — there’s an expectation the technology will have all the provisions to secure their data,” Zingo said. Now, those same people and other consumers are taking control of their data, or at least thinking about it and questioning the philosophy around who controls their data (everyone except themselves), particularly after 2017’s massive Equifax breach. Thats the other leg in this, said Mark Atherton, group vice president of Oracle’s financial services global business unit: the sophistication of end customers or users, whether they're consumers or corporate customers, and how comfortable and casual they choose to become about cybersecurity. “You're only as strong as your weakest link, but sometimes the weakest link is the customer,” Atherton said. The biggest problem With open banking, banks could be able to sell customers so much more than product-based financial services — as long as they continue to own customers’ trust. Historically, they’ve done that by protecting customers’ financial assets, but data is the new currency, Bose said. People re-examining the value of their data and becoming more selective about when and to whom they share it. How banks handle that remains to be seen. “The question of trust causes an interesting tension,” he said. “Do customers trust their institution to properly protect their data? Do they want their bank to share their data with other third parties so they can provide interesting things the banks themselves can't do? People want more value added services, but if they don't trust you they're not going to let you have their data.” To some extent now banks not only have to demonstrate their trust to consumers, they have to demonstrate it to those third parties, he added. A company might Apple could become more discerning about letting users put a credit card into Wallet if a bank has a history of security weaknesses. “They’re going to have a whole new set of partners and they need to demonstrate trust with them as well,” Bose said. More than a human can do Security and fraud have always fallen on the shoulders of banks, even though it’s more often the retailers and online platforms whose systems compromise the data. It’s banks’ biggest area of investment and never ending concern, since fraudsters only get more sophisticated as technology and digital improvement get more sophisticated. Before the digital era banks could safely bet on where fraud or theft was coming from. With the rise of open banking, the application programming interfaces that allow banks to open up to other developers create more roads to the bank, Atherton said. “The challenge is there will be more players out there that have a banking relationship and if you're a bad actor you just have that many more channels to commit fraud on,” he said. Banks are trying to be smarter and more complete in how they assess threats, respond to them and mediate. “It’s not good enough anymore to take a percentage of transactions that come through and study them — you have to lookout 100 percent,” he continued. And the rate of data creation is now doubling every two years.

That’s why banks are investing so heavily on artificial intelligence and machine learning, said Atherton. Fraud analysis and risk detection is the top use case for AI technologies at banks, with 14 percent having actually deployed it by now; nine percent of banks are piloting the technology and 23 percent are planning to. “I see greater emphasis on AI and ML to really help the security professionals,” Bose said. “It’s more than a human can do.”

0 comments on “Why open banking and cybersecurity need each other”

Data, Lending

The Financial Data Evolution: Unraveling lending in open finance with Akoya’s Rishi Kapadia

  • As part of Tearsheet Talks: Lending x Credit, Data, Rishi Kapadia, product manager at Akoya, discussed "The Financial Data Evolution: Unraveling Lending in Open Finance."
  • Kapadia sees open finance facilitating an evolution in the whole user experience in the lending process.
Tearsheet Editors | October 31, 2023
Data, Lending

Best practices for fusing internal and external data to enhance credit decisioning for SMB lending with Stripe’s Yaakov Erlichman

  • Learn strategic and tactical best practices for maximizing the fusion of internal and external data to enhance credit decisioning and risk management for SMB lending.
  • Stripe's Yaakov Ehrlichman, head of capital and SMB risk, covers both conceptual and implementation considerations for reconciling data sources tailored to the unique needs of the SMB market.
Tearsheet Editors | October 26, 2023
Data, Partner

How payments providers can tap into the growing SMB market 

  • The POS market continues to grow, driven by digitalization and new vertical offerings, but there's a lack of available data around SMB revenue, growth trends, and other metrics to help capture these businesses as customers.
  • Data firm Enigma provides comprehensive data about the identity and financial health of millions of businesses, enabling visibility into real revenues and financial trends across this growing market.
Enigma | August 24, 2023
Data, Keeping the bad guys out

The network approach to fighting fraud

  • With fraud evolving, prevention and detection mechanisms are changing as well.
  • FIs and technology providers are turning towards approaches where critical data about fraudulent activities can be shared with FIs and businesses in the ecosystem via a network approach.
Rabab Ahsan | July 05, 2023

As tides shift against screen scraping, complications abound for smaller FIs

  • Screen scraping is experiencing increased scrutiny from regulators and competition from API-based solutions. The practice may finally be on its way out.
  • But what would an API-based data sharing environment look like? How will the transition away screen scraping occur and would it be fair to all institutions?
Rabab Ahsan | June 09, 2023
More Articles