As open banking accelerates, how can financial services providers ensure their apps are secure?
By Nathanael Coffing, CSO and Co-founder of Cloudentity.
Open Banking has radically changed the banking experience, enabling financial institutions and banks to share customer data with third party financial services providers. Previously, large corporate banks dominated the financial services industry and financial services startups struggled to compete. Today, Open Banking presents an abundance of opportunity for smaller, innovative financial companies to establish themselves in the market. With Open Banking apps like Plaid, customers now have faster and streamlined access to their money, insights into their spending habits and more.
Application programming interfaces (APIs), provide the foundation for sharing data. Using APIs allows data to flow smoothly and between services, apps, platforms and financial providers. Meanwhile, APIs collect and aggregate the data that is exchanged and present it to the user in a way that is easy to navigate, giving them full visibility and control over their financial assets.
While the possibilities of Open Banking are limitless, they carry security and compliance risks associated with data sharing. Financial services providers participating in the Open Banking ecosystem are obligated to comply with data protection directives and follow best practices that can help secure customer data. By incorporating the below steps into their Open Banking strategies, fintech companies can provide competitive solutions while ensuring privacy, security and compliance.
Incorporate customer privacy consent
Obtaining user consent is arguably the most critical component of Open Banking. Used efficiently It allows financial service providers to earn the trust of customers and partners. While this is also crucial to meet data privacy regulations and enhance the customer experience. Companies must provide their users’ privacy, and the ability to stipulate how their personal and financial information is being collected, accessed and shared. Providers must implement fine-grained privacy and consent controls on their APIs so that customers and partners can determine who is allowed access to their information, who can share their data, how long their data can be shared and for what purposes. In this way, users can ensure that third party access of their personal and financial information is within the limits of their approved usage.
Ensure API-centric services comply with data privacy laws
Similar to consumer data protection laws such the California Privacy Rights Act (CPRA) and General Data Protection Regulation (GDPR), Open Banking protocols like the Financial Data Exchange (FDX), UK Open Banking Implementation Entity (OBIE) and Payment Services Directive (PSD2), hold organizations accountable for securely exchanging customer financial data and account information. Without proper authentication and authorization controls placed on their APIs, threat actors can execute unauthorized money transfers, perform money laundering and conduct identity theft or account takeover. Privacy compliance directives carry a variety of obligations and repercussions for organizations failing to adhere, ranging from hefty fines that affect profitability to public data leakage notifications that impact brand reputation. By applying secure IAM capabilities to their APIs, Open Banking providers can significantly reduce their attack surface and compliance exposure, thus preventing these drastic consequences.
Protect APIs with a zero-trust approach using identity and authorization
Opening an organization’s APIs to third parties increases their chances of exposure, particularly if the APIs are not well protected. Typically financial services companies hard-code authentication and authorization within the service, but with API attacks and regulatory requirements on the rise, organizations must rethink that approach and adopt declarative externalized identity and authorization solutions. Externalized, declarative Identity and Authorization decouples the IAM security mechanisms away from the service and allows organizations to rapidly update policies to adhere to changing threat, fraud, and regulatory demands. In addition, Open Banking security organizations must utilize a zero-trust approach: verifying the identity of every user, device and service and authorizing every data element that is exchanged. However, most identity-based authentication tools result in delayed service delivery, cannot define a wide range of fine-grained policies and don’t provide the depth of transactional data exchange enforcement required for Open Banking.
The Open Banking industry services over 50 million users worldwide and is projected to reach a staggering 132.2 million by 2024. The rapid acceleration of Open Banking adoption highlights its disruption to the financial marketplace, giving rise to new services and applications that benefit consumers, while introducing new avenues for financial organizations to differentiate their services. As threats continue to emerge, Open Banking providers must ensure data privacy is top of mind to protect their customers and their business. Failing to do so will assuredly mean missing out on the incredible market opportunity of Open Banking.
About the author
Nathanael Coffing is CSO and co-founder of Cloudentity. Prior to founding Cloudentity, he founded OrchIS.io and helped build numerous technology startups leveraging his experience at Sun, Oracle, Imperva, Washington Mutual and Boeing.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.