How are trust and security intertwined in Open Banking?
Canadian banks are already well ahead when it comes to customer trust, with other financial service providers and fintechs rapidly gaining traction. Symcor and EY Canada’s 2023 Open Banking survey shows that Canadian customers’ willingness to share data is increasing year over year. This finding demonstrates a growing sentiment among Canadians that forms the basis for an Open Banking ecosystem built on trust, security and transparency.
How can Canadian financial service providers continue to maintain their reputation as pillars of public trust in a more open ecosystem?
Canadian financial service providers should continue to prioritize security throughout their business transformation and use it as an opportunity to add value to their customer touchpoints.
Building the foundation for Open Banking means new challenges, and new challenges require the adoption of new principles.
Who is responsible to help maintain trust in the Open Banking ecosystem?
Besides providing other services to key ecosystem participants, data platforms and intermediaries can facilitate secure exchanges of data in the ecosystem governed by standards and principles. They can add value by providing common cybersecurity controls, data privacy and data management governance, adhering to evolving industry standards for better customer experience and enhancing the adoption rate in the ecosystem.
Why dissolving boundaries to create trust works
The adoption of Open Banking is expected to accelerate as trust in the system grows through continued security.
Open Banking takes third-party risk management to a whole new level. As third parties become more tightly integrated with financial service providers, the traditional boundaries between entities and the services they offer will diminish. Current onboarding and periodic cyber risk assessment capabilities need to transform to a process that can rapidly facilitate customer consent, third-party connection requests and cyber risk intelligence to provide, or deny, access automatically.
Educating customers on how to combat new threats can also help ecosystem participants protect their systems from the outside in. This includes notices on how to identify suspicious applications and reminders to always verify what they are consenting to share.
Moreover, educating customers will grant them greater confidence in their ability to identify potential threats, leading to greater comfort levels when using a trusted Open Banking platform.
Adopting a zero-trust architecture
Traditional banking business models have had very clear perimeters for how customers interact with their financial service providers. As financial institutions become more intertwined through Open Data and partnerships, perimeter of customer interactions with their financial institution will gradually dissolve, which will require a fundamental shift in how financial institutions protect customer data.
Based on the enhanced integration and perimeter-less environment that accompanies Open Banking, ecosystem participants need to ensure their existing security architecture upholds the high standards of security their customers expect from them.
One of the best ways to do this is to adopt a zero-trust architecture, which will continually validate and verify access for all resources throughout Open Banking interactions and mitigate the damage caused by a potential breach of resources. These zero-trust protocols and procedures should be implemented across all infrastructure that accepts external requests for optimal coverage and protection.
Every external transaction that passes through the gateway should be monitored throughout its lifecycle to ensure legitimacy. This can be done by continuously validating the source and destination of requests, while implementing applicable data transit security controls.
API analytics should also be extrapolated from the gateway to provide insights into user behaviour. These insights can help trigger automated responses, such as restricting access, as well as feeding data into machine learning models and for third-party risk assessments.
APIs should also be designed with “least privilege,” such that they have no visibility or access into resources that are out of scope from the user’s specific request. This can help mitigate exploitation of vulnerabilities and limit incidents that can have a negative impact.
Ecosystem participants that advertise a “zero trust” philosophy and explain it in laypersons’ terms can provide peace of mind and maintain customer trust.
Managing the Open Banking API lifecycle
Customers and integrated third parties expect fast deployment and maintenance of APIs that can scale as Open Banking popularity increases.
To avoid time-consuming process disruptions, ecosystem participants should look to develop or adopt defined patterns on how APIs can be securely deployed and applied externally. Security patterns that financial service providers adopt should be designed so they are configurable for different templates, standards and guardrails that are bespoke.
By educating their business and technology teams to operate within those defined guardrails, Open Banking use cases and API development would not have to be altered or paused once they are in development.
Many of the patterns or guardrails are already available in the market, such as FAPI (Financial Grade API) standards, which include secure data transfer practices like TLS 1.2 and strong authentication techniques, such as OAuth 2.0, which can be used to establish a secure external-facing API suite.
Following FAPI will enable banks to align with established and proven API security techniques being used by financial service providers in countries further along in their Open Banking journey.
Customer trust should be regarded as the ecosystem’s most valuable asset.
To evolve Open Banking, ecosystem participants should ensure that cybersecurity remains at the heart of their design and development of processes.
Data platforms and intermediaries can play a significant role in providing capabilities to ensure adherence to security standards such as FAPI and OAuth 2.0. Further, they can also implement a zero-trust architecture for continuous improvement of existing security standards.
With that in mind, Canadian financial service providers and fintechs will be able to seize the benefits of Open Banking, maintain customer trust and extend their reach in the marketplace.
Additional contributors: Jo Lim Fat, senior manager, Business Consulting at EY Canada; Nathan Lautens, senior consultant, Technology Consulting at EY Canada; and Geetanjali, senior consultant, Technology Consulting at EY Canada