Throughout history fraudsters have been quick to exploit technological advances. Open Banking is no different. So how can organisations ensure they aren’t opening the door to criminal activity, asks Jennifer Turton…
March 2019 may be the month that will be remembered for the Brexit deadline but, in the world of Open Banking, it is also the point at which banks must have their APIs ready for testing under the second Payment Services Directive (PSD2).
A key objective of PSD2 and Open Banking is to make payments and accounts access easier, but alongside this are significant concerns over potential security issues.
Mike Haley, managing director at fraud prevention service Cifas, says: “Any new initiatives will be targeted by fraudsters – fraud is the number one growing crime and fraudsters are always looking for the weak points.
“They will test the Open Banking environment, and that is something we have seen with other initiatives, testing around the entry points.”
Awareness of data security is something that is on everyone’s radar. Research into consumer trust and spending habits conducted by payment security specialists PCI Pal found that almost a third of UK consumers would spend less with brands they perceive to have insecure data practices.
In addition, 41 per cent of British consumers said they would stop spending with a business or brand forever following a serious data breach. And it isn’t just consumers that harbor these concerns.
Research by UK law firm TLT Solicitors found that half of financial services companies are concerned about the increased fraud risk as a result of the larger ‘attack surface’ for hackers.
Two thirds of respondents said damage to customer trust and confidence where data is lost or misused is the biggest risk in relation to data sharing under Open Banking – trumping other concerns over potential data loss via third party providers and increased risks and liabilities arising from regulatory obligations.
Tim Waller, a partner at TLT, explains: “While fraud is a growing issue across the financial services spectrum, it’s important to remember that Open Banking and PSD2 also bring significant improvements to data security for banking customers. Things like encryption, tokenization and strong customer authentication requirements, for example, offer enhanced protection beyond existing services, like screen-scraping.
Waller says security is very much at the heart of Open Banking implementation. “The UK’s Open Banking Implementation Entity, along with the CMA9 banks and fintechs, has created and agreed API specifications, security profiles, customer experience guidelines and operational guidelines to enable the secure flow of account information and secure payment initiation.”
Gary Humphrey, head of product – fraud & ID, for credit reference agency Equifax UK, agrees. “Open Banking provides an opportunity to enhance existing customer journeys by adding one of the strongest levels of customer authentication available,” he says.
“New solutions can leverage the consumer’s relationship with a bank, allowing them to authenticate their ID credentials using their online bank account. This can complement existing ID solutions, speed up customer on-boarding and mitigate against the risk of fraud.”
Haley argues that it is important to not overplay the fraud risks that Open Banking could create.
“Security has been very well thought through in the construction of the infrastructure of Open Banking and I’m confident that within the transaction there is security,” he explains. “It may well be that the fraud risk lies at the on-boarding of customers at the third-party processor (TPP) – identity fraud has increased over the last 10 years, it is now 50-60 per cent of all instances of fraud that we see at Cifas.”
Some believe that fraud detection may be even trickier, should a criminal gang decide to infiltrate the market through what appears to be a legitimate financial institution.
Robert Tharle, enterprise fraud expert at financial crime investigation platform NICE Actimize, explains: “It’s perfectly possible we will see either an outright fraudulent TPP fronting themselves as the financial institution, or one that is hacked or socially engineered in some fashion.
“This could result in fraudulent payments, account takeover (ACTO) and even more data compromises to facilitate ID Theft,” he says.
Tharle also says Open Banking could have a negative impact on a financial institution’s ability to undertake fraud profiling as more transactions are done through other organisations.
“Instead of having full control of the end to end journey via their website or app, the financial institutions will only see the customer’s end point (e.g. laptop or, mobile device) at one or two points in the journey,” he says. “This makes it much harder to manage as they move from continuous authentication to a point-in-time model.”
Prevent and protect
The growing fraud risk will, however, see financial institutions increase security and ensure that the Open Banking sphere is more robust than the services currently in place.
Marcus Hughes, head of strategic business development at Bottomline Technologies, which handles business payments, says: “PSD2 requires strong customer authentication (SCA) and more robust multi-factor authentication (MFA) techniques, with exemptions only for those that can demonstrate low risk transactions up to 500 euros.
“We may see greater segmentation of payment service users, each served by a separately-regulated entity with different levels of security requirement. For example, some Payment Service Providers (PSPs) where overall fraud levels are low, may target lower-risk customers or merchants for a frictionless user experience under the SCA exemptions, while other PSPs may ring-fence higher-risk customers or merchants and apply full MFA.”
The European Banking Authority and Financial Conduct Authority have confirmed that, as part of the Regulatory Technical Standards, PSPs must “ensure integrity or confidentiality” of SCA and MFA.
With SCA, banks will require every customer to be authenticated by at least two of the following criteria: something they have, something they are, and something only they know. This could include an ID document, a biometric identifier, and a security question, for example.
Rene Hendrikse, EMEA managing director at digital identity verification software provider Mitek, explains: “Regulatory compliance and investment in technology will both be crucial to solving the problem of fraud in an Open Banking landscape. But it’s not as simple as just being on top of regulation or having a strong digital transformation strategy – the two must work in tandem from the very beginning to effectively combat the threat of growing fraud.”
Hendrikse says that technology, such as digital identity verification, means that banks can identify every potential customer before they open an account.
“Knowing every customer is key to keeping fraud out. What’s more, re-identifying customers after fraudulent activity has been flagged is vital, so that scammers are cut off before they’re able to game the entire ‘open’ system.”
Tharle adds: “Open Banking is another vector for social engineering, a way to confuse customers into handing over credentials or data to fraudsters. This certainly muddies the clear message that banks previously sent to customers, which was not to share your bank credentials with anyone.
“The full impact may take longer to materialise as the use cases to drive the most transformational change, large volumes of third party-initiated payments, need to be in place for customers to fully adopt Open Banking.”
Learning from the past
Financial institutions are benefiting from the rise of ‘Regtech’ – technology developments such as artificial intelligence, machine learning, robotic process automation, and blockchain designed to assist in improving financial crime challenges.
According to World Economic Forum report The New Physics of Financial Services – How artificial intelligence is transforming the financial ecosystem, AI strategies and automation processes “ensure they are only using data for the primary purpose for which it was collected and that they are doing this in a responsible and ethical manner”.
“Regtech, technology that helps achieve regulatory compliance, will place a more important role than ever before as Open Banking grows,” Hendrikse says. “Investing in Regtech means that financial institutions will be able to put more emphasis on stopping account opening fraud and monitoring for fraudulent activity.
He adds: “The latest AI-driven fraud monitoring tools can learn extremely precisely how to detect fraudulent activity before it even happens – this not only benefits banks but also concerned customers. The right technologies mean that banks and financial services firms can keep fraudsters out while keeping the FCA happy – ensuring their own security and adhering to regulation.”
Across the financial services industry, institutions are employing multi-factor authentication methods to validate and verify not only users, but also devices used to make those transactions.
For Jim Warner, director of operations at fintech Centtrip, 2019 is the year for championing and testing new ideas. “With September set as the PSD2 compliance deadline, no one will want to be left behind. We are already seeing acceleration in the uptake of Open Banking in the UK, Asia, Australia, US and Latin America,” he says.
“It is important for financial institutions and fintechs to collaborate to define and to agree on a common set of rules to ensure any disputes or errors that may happen in the future are resolved quickly and efficiently.”