Lifting the Veil on Open Banking
In this article
Open banking. What once seemed like a conceptualized slogan is now a tangible practice making its way around the world — legally mandated in some countries, voluntarily adopted in others. To those who benefit from a closed banking model, open banking is likened to a disruptive threat. But to many others, particularly to consumers, there are major advantages.
Either way, open banking is here to stay. Let's dive in and see what it's all about.
What is open banking?
Sometimes referred to as "open bank data," open banking is the practice of allowing third-party financial services organizations access to consumer financial data by way of application programming interfaces (APIs), which are programs that make it easier for these organizations to communicate with each other.
This shift is a direct result of the digital transformation movement and driven by the growing demand to deliver customer-centric banking experiences.
With open banking, customers, as well as third-party financial institutions — with consent — have frictionless access to their financial data to download, share and use. In this way, the consumers own their information, such as account balances, transactions, investments and everything in between.
Why does it matter?
By lifting the guardrails big banks use to shield customer data, open banking is reshaping the way banks conduct business. Not only is there a customer-centric paradigm shift in favor of consumers, but the market is opening up for smaller or emerging financial service and fintech businesses to offer new products and services.
Giving consumers easy access to their financial information enables more comprehensive and simplified decision-making. Additionally, providing better visibility into bank behavior empowers consumers to more confidently enter and exit relationships with these institutions, or at the very least, apply pressure on specific issues or sector-wide standards.
Quite simply, open banking gives consumers more freedom to decide where to put their money. As for the banks, it breeds a more competitive landscape for neobanks (or challenger banks) and fintechs, which in turn fosters a market ripe for innovation and bolstered customer service.
Where did open banking come from?
Triggered by a push for stronger financial regulations, the concept was first substantiated in the European Union (E.U.) in 2018 with the implementation of the revised Payment Services Directive (PSD2), a mandate that requires banks to make consumer data available to third parties at the customer's request.
Prior to PSD2, England's Competition and Markets Authority (CMA) had long called for this change as a way to decentralize large banks' power and influence. In 2016, the CMA created the Open Banking Implementation Entity (OBIE), tasked with helping banks, fintechs, third-party providers, consumer groups and the like to implement open banking APIs to provide an environment that fostered access to bank data.
The idea was to inject competition into the stale U.K. banking industry and, in turn, drive innovation. In the CMA's 2016 report on the U.K.'s retail banking market, it was confirmed that the large, legacy banking institutions across the U.K. did not have to compete hard enough for customers' business. This lack of competition was stunting the success of challenger banks and preventing novel financial service providers from entering the market.
In 2018, PSD2 opened the gates to the promised land of banking data in the E.U., revolutionizing the way financial data was accessed and used and creating vast opportunities and benefits for developers, investors and consumers. Since then, more than two million users — both individuals and small businesses — have adopted open banking-enabled applications across the U.K., according to OBIE. "There's some really exciting propositions out there that can help small businesses using open banking to manage their cash better, and it can also help them seek funding," said Imran Gulamhuseinwala, Implementation Trustee at OBIE, in this World Finance article. "In these difficult times for small businesses, we think that this is invaluable."
In the U.S., consumer banking data is now rightfully recognized as the property of the consumer. On July 9, 2021, President Joe Biden signed an Executive Order making it easier and cheaper to switch banks by requiring banking organizations to allow consumers to download their financial transaction history data and take it with them. While this isn't the equivalent to a widespread "open banking law," it is a strong indication that open banking permanence is on the horizon in the U.S.
Further, the Electronic Payments Association (NACHA) in the U.S. has an open banking framework in place that will provide easier channels of data exchange between fintechs and banks. However, unlike PSD2 and CMA regulations in Europe, NACHA APIs are market-driven, not mandatory.
How does open banking benefit the consumer?
Individual consumers with personal banking accounts are extremely important to a bank's bottom line. In addition to paying fees for services, these customers provide banks with an astonishing amount of low cost, stable funding through their checking accounts. The money in these accounts (AKA "demand deposits") provides the capital needed for banks to make loans and buy assets. In the third quarter of 2020, domestic demand deposits in FDIC-insured commercial banks and savings institutions totaled more than $15.6 trillion. Pretty steep.
Lucky for these banks, consumers rarely pull or reallocate their deposited funds. Why? Well, for the most part, switching banks is notoriously time-consuming and difficult, often by design. Plus, consumers historically had no way to directly weigh the pros and cons of competing banking products and services.
Today, with open banking, a consumer can pull all their financial data from their bank and consent to share it with competing banks or third-party services providers to ensure they are receiving the most lucrative products and services available. This has resulted in banks and providers competing harder for the consumers' business while making it very easy for the consumer to take advantage of the best offer.
Here are some other ways open banking benefits the consumer:
Open banking lends a more accurate capture of one's own financial data. A consumer can view investment, loan and credit card accounts in one place, as well as personal and business banking combined in a single interface. This allows financial services advisors to provide a personalized body of recommendations, simplifying the decision-making process for all involved.
Accelerated credit access
What was once was a time-consuming, tedious process is now a near-instantaneous endeavor. Open banking puts consumers' credit history in one, easily accessible place. This allows lenders and underwriters to make quicker decisions on which products to offer. It also gives consumers better insight into the likelihood of being offered certain products in advance of applying, thereby accelerating the entire application process on all ends.
Innovation in personal finance management (PFM) and other banking tools
Each individual's financial data set can be incredibly robust, including not just financial information and behaviors but statistics that can be mapped across life stages and goals. By centralizing data, providers can tailor products that create financial insights in more personalized, meaningful ways. Meanwhile, consumers are freed to make more educated choices based on their financial performance and unique goals.
Open banking takes bespoke financial services for individuals to the next level. Providers can now create better tools in response to individualized consumer data. In addition, it paves the way for new applications that help us do innovative things like round up and invest the change after a purchase, build better credit platforms, easily consolidate credit card debt and facilitate online mortgage brokering. This list will, of course, continue to expand dramatically for the benefit of providers and consumers alike.
Transparent subscription management
These days, it feels like everything comes with a subscription offering. From utility bills and streaming services to cleaning products and pet food. How can any one person keep track? Open banking technology can put all subscription activity onto a single interface, so consumers can view recurring payments and take action to cancel undesired subscriptions or set alerts for upcoming payments.
How does open banking benefit financial organizations?
In May 2020, Finastra studied more than 750 global banks in their report, Open Banking and Collaboration: State of the Nation Survey 2020. They found that 86 percent of surveyed financial institutions are aiming to use open APIs to enable open banking within the subsequent 12-month timeframe.
To remain competitive, financial institutions must not turn a blind eye to the growing popularity of open banking. As more institutions work to adopt the practice, understanding the potential benefits of open banking is essential.
Here are some of the key benefits for financial organizations:
Improved digital agility
A bank's agility — its ability to adapt — is key to long-term success in today's tech-centric world. Open banking promotes advances in software and digital processes that, in turn, enable organizations to adapt to change and implement solutions more swiftly.
Open banking eliminates walls around communication and collaboration across the entire industry. As a result, institutions gain access to new partners with varied, beneficial skill sets This can facilitate meaningful transformation and evolve business models more effectively.
Increased collaboration between entities
With open banking, not only can financial services and fintech competitors coexist, they can collaborate for the greater good of all parties.
Open banking requires tedious oversight to minimize risk and secure customer data; therefore, it's in everyone's best interest to work together to ensure all bases are covered. By staying connected, organizations can create secure and sturdy links between all stages of the open banking process. Cross-company collaboration also makes space for deeper innovation between traditional banks and newer fintech-based business models. Looking forward, there is more business to be made for all as open banking models continue to evolve globally.
Increased customer satisfaction and retention
With open banking, financial institutions can provide consumers with a complete picture of their financial transaction history, including aggregated insights. This helps consumers make better decisions and improve their financial outlook, thus leading to greater customer retention.
Further, as banks harness the power of information sharing, they can use the comprehensive data of consumer financial history and habits to make more meaningful recommendations and offer individualized customer experiences with more precision.
Greater foresight in decision-making
The larger the data set, the easier it is to discern patterns through pattern mapping — which in turn makes it easier to make big decisions. As the global financial industry undergoes this rapid shift in consumer data usage, data insights are vital to an organization's ability to understand the impact of operational changes, regulatory or otherwise, and make smart choices. Open banking is paving the way for organizations to adopt compelling predictive models that enable better decisions and more effective strategies.
Reduced overhead on storefronts
An open banking business model makes full online banking possible, practically nixing the need for a large footprint of physical locations. Open banking can help banks feel less like an institution in the eyes of the consumer and more like a service, where on-site visits are no longer required.
What about security risks?
Nearly 50 percent of all banking customers think their assets will be less safe if they try open banking. Of course, as with any technology evolution, particularly when it pertains to our finances, things can seem unstable at first, scary even. Consumers might have security concerns like:
- Does open banking make identity theft easier?
- Will my data be shared or used for purposes beyond my consent?
- Will I now be targeted with unwanted solicitations?
- Who do I call if I experience an "information leak" problem?
All valid questions, indeed. But first, let's not let the word "open" terrify us. The "open" in open banking doesn't mean there are no structures or protections in place; rather, it signifies the exchange of digital banking information with the consumer's full consent.
Open banking makes consumers the owners of their data. Meaning it is up to the individual consumer to authorize any information sharing between their financial institution and a regulated third party. For example, third-party APIs like Venmo or Zelle have built-in endpoints that are regulated by the banks themselves. This means your money and information are as secure with these third parties as they are inside your bank.
On a broader scale, there are three factors that contribute to the overall security of APIs and open banking: (1) security standards, (2) security-infused CI/CD pipeline and (3) security controls.
1. Security standards
IT security has evolved significantly in recent years. Take multifactor authentication (MFA) and biometrics technology, for example. MFA requires users to have a secondary form of authentication in addition to a strong password (e.g, an additional security question, a numerical access code sent via text, or a biometric scan via face or fingerprint) to unlock an account. Studies have shown that proper use of MFA blocks 99.9 percent of all potential hacks.
Let's take a look at some other key security standards of open banking.
Mutual authentication over Transport Layer Security (mTLS)
This is when both clients and servers present and validate certificates. Validating server certificates with two-way authentication is tried and true, and quite ubiquitous, meaning it's readily available for the market to implement.
Electronic Identification, Authentication and trust Services (eIDAS)
An EU standard for electronic identification, PSD2 requires quality trust service providers (QTSPs) to adopt the eIDAS security standard by using the ASN.1 data format to carry extra attributes.
This standard, which grants unique security powers, is well-known in the land of APIs. For example, with OAuth, an app consuming the Twitter API doesn't need to see the user's password. OAuth is supported in open banking initiatives such as The Berlin Group and STET. Some experts advocate for a combination of OAuth 2.0 and mTLS.
This sits on top of OAuth to provide further proof of authentication with an ID token. The specification describes it as "a simple identity layer on top of the OAuth 2.0 protocol." In the form of a JSON Web Token (JWT), OpenID Connect confirms the user has authenticated and offers many additional features to extend capabilities.
Financial-grade API (FAPI)
This is an OpenID Foundation profile that sits on OpenID Connect, providing extra security for financial organizations. This standard provides additional security features at the authorization server, tightening behaviors by segmenting TPP permissions.
FAPI is organized into four drafts: A Read-Only API Security Profile, a Read and Write API Security Profile, JWT Secured Authorization Response Mode for OAuth 2.0 (JARM), and Client-Initiated Backchannel Authentication (CIBA), which provide a new means of requesting the authentication of a user. Some experts view FAPI as an important building block for the future growth of open banking.
2. Security-infused CI/CD pipeline
All organizations view security as a top priority and the obligation to maintain security posture falls on all IT departments. Applying DevOps best practices can put an organization in a unique position to defend APIs and secure everything that flows through the software pipeline by taking a proactive approach.
Securing the CI/CD pipeline essentially means fortifying it as a whole by coding the entire environment. This allows for a constant flow of software updates into production, which speeds release cycles, lowers costs and reduces risks associated with development and deployment.
Securing the CI/CD pipeline can help an organization:
- Map threats and secure connections.
- Tighten access control.
- Separate duties and enforce permissions.
- Allow diligent monitoring and recon.
- Provide grounding to maintain a viable backup plan.
3. Security controls
Because it typically generates massive volumes of API calls, open banking can raise performance and security challenges. When asked to identify the "four most important factors to consider before integration with an API," IT organizations rated both security (71 percent) and performance (70.9 percent) near the top.
Applications have moved toward an increasingly distributed and decentralized model, with APIs as the connection point. The most recent F5 Labs research shows that the number of API security incidents is growing every year, and most API incidents during the last two years were related to a low level of security maturity, often caused by tool sprawl.
While the network firewall indeed remains an important aspect of security, it simply cannot stand on its own. That's where additional security controls come into play.
Web Application Firewall (WAF)
A WAF identifies illegitimate requests that don't use the API's intended functionality but rather seek to exploit vulnerabilities, allowing attackers to steal information or execute malicious code. A good WAF has API protection profiles that protect against attacks with parsing and structure enforcement, attack signatures, method enforcement and path enforcement.
HTTP APIs can be subject to bot and other forms of malicious or unwanted automation-based traffic. Bot protection solutions provide visibility, throttling and mitigation options to protect HTTP-based APIs from bots and other forms of automated attacks that generate online fraud and application abuse.
Among other functions, API management solutions provide interfaces for defining security policies, which the API gateway then applies as it processes API calls. The API Management Module includes important protections like implicit Uniform Resource Identifiers (URIs) that allow listing based on the API specification, as well as programmable rate limiting, multiple rate-limiting policies and throttling.
An API gateway, like NGINX Plus, provides authentication and authorization, traffic management, rate limiting/thresholding, allow lists and routing. Solutions exist to complement or replace existing API gateways.
All public API traffic should be encrypted. If possible, ephemeral keys should be used for added security. If an API gateway cannot handle the cryptographic workload due to performance or price, you might consider offloading the workload to a dedicated system. This maximizes infrastructure investments, efficiencies and security with dynamic, policy-based decryption, encryption and traffic steering through multiple inspection.
What about preventing or mitigating malicious behavior like credential stuffing?
The number of annual credential spill incidents nearly doubled between 2016 and 2020.
Credential stuffing attacks made up 5 percent of all digital traffic.
Organizations remain weak at detecting and discovering intrusions and data exfiltration. Between 2018 and 2020, the median time to discovering a credential spill was 120 days; the average time to discovery was 327 days. Often, spills are discovered on the dark web before organizations detect or disclose a breach.
Relying on technology, like a leaked credential check, can prevent leaked or stolen credentials from being used for malice.
Other mitigation options include:
- Requiring users to use MFA before granting access.
- Redirecting users to another application page (e.g., a customer support web page).
- Responding to the suspicious login with a preset page requesting further action by the user (e.g., contacting customer support).
- Blocking the user and their login from accessing the application.
- Sending an alert to the SecOps team to take additional action.
Are there standards in place to make open banking more efficient and secure?
Open banking relies on a "digital first business model," meaning an organization's internal software is built modularly, where each module communicates with the other modules through application program interfaces. Because all data is passed through APIs, it is easy for the banks to give access to selected APIs, so a third party can aggregate financial data on behalf of consumers. It is also easy for banks to maintain security by limiting the number and type of APIs opened to third parties.
Now, it is in the banks' best interest to follow good programming principles and use APIs for both internal and external data transfer. However, homegrown APIs are unique and proprietary in nature, so, it becomes difficult for a third-party developer, such as a fintech, to interface with multiple banks if they all use their own unique APIs.
For this reason, several organizations around the world have initiated projects to standardize the APIs that typically interface with third party developers. Established in 2010, the Open Bank Project offers at least ten categories of standardized APIs.
In Europe, since 2016, the Banking Industry Architecture Network (BIAN) has defined 30 standardized APIs and implemented them both from the consumers' end and providers' end. While BAIN is based in Europe, they have a strong presence in the US, as well.
Lastly, the industry group the Financial Services Information Sharing and Analysis Center (FS-ISAC), through its subsidiary the Financial Data Exchange (FDX), is also developing open banking APIs as a means of standardization.
Much is being done from a regulatory perspective to foster uniformity and standardization between institutions using open banking models. It is only a matter of time before it is common practice, no big deal. In the meantime, WWT security experts are here to help your organization get acclimated with open banking and prepare for the inevitable.