Decades ago, accessing and managing financial data was a distant and exhausting process for consumers. However, in recent years, financial innovation has simplified and humanised the digital banking experience, with a little something we call Open Banking.
Very simply put, Open Banking allows the secure sharing of consumer banking data, enabling banks to get a more accurate sense of an individual’s financial condition and risk level, in order to present the best products and services for each specific client. Customers, on the other hand, get a much better understanding of their financial situation, and achieve more control over their finances and financial data.
But what exactly defines Open Banking? What advantages does it bring to banks and customers all over the world, and what challenges come with that flexibility and ease of access to financial services? The answers lie ahead.
What is Open Banking?
Open Banking is the practice of securely sharing consumer banking, transactions, and other financial data between banks and Third-Party Providers (TPPs), using Application Programming Interfaces (APIs). Before Open Banking was a reality, the same financial data was purely managed by big banks, so consumers could not easily manage it nor access it across different platforms, like they can today.
The Open Banking concept serves two main purposes:
- Promote healthy competition and innovation within the banking ecosystem.
- Improve the overall customer experience.
The global Open Banking market has been growing exponentially: it was valued at $7 billion in 2018, $20.07 billion in 2022, and is expected to reach $135.17 billion by 2030, at a compound annual growth rate of 27.2%.
This expressive growth is essentially driven by the emergence and refinement of technologies and services like Cloud Computing, Artificial Intelligence (AI), Machine Learning (ML), Blockchain and, of course, APIs.
TPPs: what (and who) are they?
TPPs are organisations that interact with banks to facilitate communication and provide services to customers. They can be of two types:
- Account Information Service Provider (AISP): they act on behalf of the bank to access consumers’ information.
- Payment Initiation Service Provider (PISP): they act on behalf of consumers to initiate payments.
Specifically, TPPs can be fintech providers, online retailers, insurance companies, among others.
Brief history and milestones
Although Open Banking has only become a practice in recent years, the roots for the concept can be traced back to the 1980s, after an experiment conducted by the German Federal Post Office.
Nonetheless, the first real milestone that contributed to making Open Banking a reality happened only in 2007, when the European Commission released the first Payments Services Directive (PSD1). This regulation was extremely important to increase competition, transparency, and the overall quality of service in the financial sector. It was also responsible for the birth of Payment Service Providers (PSPs) and the growth of fintechs.
More recently, in 2018, the PSD2 was adopted as a substitute for the PSD1, driving a significant impact on banking institutions by requiring all banks to grant Open Banking API access to authorised TPPs.
The technology behind it
There are four fundamental technologies behind the growth of the Open Banking industry:
- Application Programming Interface
An API is a set of code and protocols written in programming language that works as an intermediary, enabling two software applications to communicate with each other. Specifically within the banking industry, this technology is responsible for making banks’ services available to TPPs, securely and in real-time.
- Cloud Computing
This technology enables the processing of large amounts of data in real time, which is crucial when dealing with the need to authenticate financial transactions initiated via API. Cloud Computing is a trustworthy, flexible and scalable solution that helps banks handle massive data volumes while reducing expenses, since they don’t need hardware on premises to do that.
- Artificial Intelligence / Machine Learning
AI and ML algorithms can help banks in various ways: (1) to effectively analyse data and improve the speed of transactions; (2) to provide valuable insights on how to optimise processes, products, services; (3) to prevent, detect and respond to potential fraudulent actions.
One of the main obstacles in the way of Open Banking is the fact that consumers are still hesitant to share their financial details with third parties. Blockchain is a viable solution to this problem because it provides full control over one’s information, giving clients the power to choose which data to share, with whom, and when. In other words, blockchain-based solutions provide a high level of privacy protection.
Future challenges for software developers who work for the Open Banking sector include:
- Ensure fast-paced production while keeping up with market trends.
- Incorporate security into the software development process, while making sure the software evolves to be able to respond to online threats.
Benefits and risks of Open Banking
Apart from bringing in more competitiveness, innovation, and improving the customer experience, Open Banking presents other significant advantages, both to banks and customers:
- More transparent financial transactions and processes.
- Stimulation of financial literacy among consumers, who naturally become more involved.
- Increased efficiency and simplification of payments and transfers (due to the centralisation of services).
- Data ownership and protected privacy, meaning customers can control who accesses their financial data and when.
- Data categorisation (segregating raw data into different categories) as a way of helping users understand how they’re spending their money and how they can optimise that spending.
But because there’s always a dark side to innovation, Open Banking also carries certain technical risks, namely:
- Fragmented customer experience: it can happen if banks do not adopt Open Banking standards as quickly or as effectively as expected.
- Technical problems: given that the Open Banking technology is relatively new, there is always a possibility of new technical problems arising.
- Fraud: the fact that Open Banking involves multiple parties, the interconnection of services and the principle of easy access to information, increases the risk of fraudulent actions.
However, the two main issues related to Open Banking have to do with cybersecurity and data privacy, both arising due to sharing of customer data with TPPs. Let’s explore both of them in greater detail.
There is no way around this: in order to improve the customer experience, as well as the efficiency and transparency of payment systems, we need to rely on customers' financial data. That is, however, fertile ground for cyberattackers.
Alter Solutions’ cybersecurity expert Vianney Dive-Levent identifies two major cybersecurity risks associated with Open Banking, which can lead to other equally important threats:
- API misconfiguration
“Currently, only a few TPPs are licensed, allowing the Open Banking service to work. However, if an API is poorly developed, it can easily reveal personal information (which was the case with more than 50 banking / fintech APIs, according to a 2019 study). Since fintechs are often startups with no more than 20 employees, security is not always at the forefront.”
- Data breaches
“By increasing the number of trusted partners on our banking applications, we necessarily increase the risk of data leaks, in several possible ways, for example through ransomware or DDoS [Distributed Denial-of-Service]. As previously mentioned, security in small fintech companies is not always perfect. So, if a data leak occurs, it could provide access to databases containing financial information.”
How to reduce cybersecurity risks?
So, practically speaking, what can be done to limit the risks of cyber-malicious actions, protect against API vulnerabilities and data exposure? There are three aspects to consider:
Companies developing Open Banking technology
The first fundamental measure is for these organisations to implement the Security by Design principle. “It is essential to think about security and put it at the heart of the business,” Vianney believes. Here’s how to achieve that:
- Implement the security measures required by data protection security agencies, such as the General Data Protection Regulation (GDPR) or the PSD2, which requires strong authentications for all digital transactions.
- Test security throughout the project by regularly auditing the API, as well as the company's information system. Preventive measures like testing the code, vulnerabilities on the system, and the logs’ functioning help prepare for an attack.
TPPs looking to deploy an Open Banking’s API
Technically speaking, several strategies can be employed by TPPs to reduce security risks. Alter Solutions’ cyber expert identifies the following:
- Have a strong authentication security through the use of Multi-Factor Authentication (MFA) by users, as well as the use of mutual Transport Layer Security (mTLS), in which both parties authenticate each other using the TLS certificate.
- The authorisation method must also be validated, such as OAuth 2.0, or OpenID Connect (OIDC).
- Have robust encryption methods, particularly for fund transfers, with at least TLS 1.2.
- In Europe, the PSD2 recommends some standards for Open Banking, like ISO 20022 (for all financial standards initiatives), and ISO 27001 (regarding security, cybersecurity, and privacy protection).
- Sanitise every input data on the API or the user application to be sure that common vulnerabilities, like Cross-Site Scripting (XSS) or other injections attacks aren’t possible.
- Set up a logging system to detect unusual activities, or other patterns that may indicate some security threats. This is probably the hardest part: with a lot of logs and API calls, you need to use a powerful analysing system, with Machine Learning and Artificial Intelligence, to identify a problem on your specific API.
- Set up a Web Application Firewall (WAF) to filter HTTP traffic between the web application and the Internet, providing an additional layer of security against common web application attacks.
Customers benefitting from the Open Banking ecosystem
The most important thing is to be educated on security best practices, such as “what a phishing e-mail could mean, the importance of using strong passwords and protecting personal data,” our cybersecurity expert explains. “Also”, he adds, “it is important to find out about the potential TPPs you want to register with: is this provider new? What certification do they have? What does the API allow if I validate it? What data does it collect? Indeed, these APIs allow access to banking information, so it is the users’ responsibility to be aware of who they’re going to trust.”
What to do in case of a data breach?
If all these preventive measures fail and a data breach still occurs, there are few recommended steps for financial organisations to take. Vianney identifies the following:
- ‘Common’ crisis management: create a crisis unit with the concerned entities (IT, Cybersecurity, Communication, Business Unit, etc.). Then, if the threat comes from within the Information System (IS), isolate it and determine where it comes from, by using the logs.
- Contact the partners (banks, TPPs, users) and inform them that an attack has occurred. It is then necessary to support users and revoke active tokens to limit access to user data.
- Users must change their passwords and all access credentials to the bank account(s) using the API. Also, it’s recommended to disable the authorisation of the API attacked.
- After the forensics analysis, the financial organisation attacked must put in place the required remediation. The company must also be audited again, to confirm that it complies with the safety rules implied by the various mandatory certifications.
In the near future, what emerging threats should financial institutions be prepared for in the context of Open Banking? Our cybersecurity specialist identifies three possible trends:
- Combination of AI and Social Engineering
“It will be possible to carry out increasingly precise and specific phishing campaigns thanks to AI technologies. They can be devastating, like the use of deepfake or an AI-generated voice from a friend or family member to gain access to certain accounts, or to redirect to a false TPP asking for credentials.”
- Supply chain attacks
“These attacks work by targeting an organisation's third-party vendors, or partners, in order to reach the primary target. In the case of Open Banking, we could imagine a TPP using a malicious dependency, wishing to attack a specific user, or a bank.”
- Advanced Persistent Threat (APT)
“An increasingly popular threat that aims to remain in the information systems of targeted organisations without being detected, in order to extract as much information as possible. This type of attack can be a godsend for an attacker: by exfiltrating the logs of a TPP, they could collect personal information in a stealth way.”
Data privacy concerns
Alter Solutions’ Data Protection Officer (DPO), Inès Chenouf, agrees with Vianney Dive-Levent when it comes to the major risks posed by Open Banking, but her focus is much more on the damages a data breach can have for everyone involved: “It has negative effects on data subjects (physical, material or moral damages) but also on companies (economic damages, reputational damage, loss of know-how, etc.).”
According to her, apart from educating themselves on security best practices, like Vianney said, customers should also be aware of their rights and the regulations in place to be able to prevent the harmful consequences of data breaches.
So, how can users maintain control over their financial data?
There are several ways do ensure this, according to our DPO. First of all, there are procedures and frameworks in place to regulate the use of customers’ personal and confidential data. “At the EU level, the GDPR stipulates that customer consent must be obtained. Consent must be explicit, freely given, informed, and unambiguous,” Inès clarifies, while noting that “consent can be withdrawn at any time.”
Then, she adds, “in order to have control over your data, you must be aware of how it is used. No consent should be given in exchange for commercial or other offers, such as refunds or cashbacks. Customers must be able to know where their data is going. As a general rule, this is done by means of documentation made available by the banks.”
“In addition,” Inès points out, “to strengthen users’ confidence in the banking sector and to face off the upsurge in cyberattacks, the Digital Operational Resilience Act (DORA), which applies throughout the EU, is aimed at managing IT risks for entities. This means entities will have more obligations to achieve a high level of IT resilience and secure data.” It’s definitely a step towards building more confidence and security for all those engaged in the Open Banking world.
Learning how to overcome the complex challenges mentioned by our cybersecurity expert and our DPO is a huge priority for everyone involved in Open Banking – now and in the near future.
Dealing – preventively and reactively – with challenges like those is something Alter Solutions can help companies with, namely through services like Cybersecurity Management, Architecture and Solutions Integration, Audit & Pentesting, and Cyberdefence.
Open Banking in numbers
- Worldwide transactions in 2023: $57 billion.
- Expected API calls in 2027: 580 billion (growing from 102 billion in 2023).
- Open Banking users in Europe in 2024: 63.8 million.
- Financial executives who perceive Open Banking as a high priority: 83%.
- Number of fintechs in Europe per 1 million people: 2.