Have Open Banking cyber concerns been overblown?

Joe McGrath | ,

The financial services landscape has experienced huge changes over the past decade as the world becomes increasingly digitalised. With advances in technology unlikely to slow anytime soon, regulators are having to look closer at the protections in place for consumers.

In its recent Sector Review, the Financial Conduct Authority (FCA) warned about the vulnerabilities that come with increased data sharing, how companies are protecting this data and the people who it refers to.

“Global investment by retail banks in fintechs more than doubled in 2018, reaching £85.6 billion with 2,196 deals,” the FCA’s review stated. “These changes may improve customers’ experience or security but could also present challenges for oversight and the perimeter of what is and is not regulated.”

The Open Banking model is reliant on the willingness of the consumer to share their data between banks, financial service providers and third-party companies.

“Personal and financial data are sensitive, managing the security and safe-keeping necessary to protect such data across an open framework is mission impossible,” Jens Bader, co-founder of payments service MuchBetter, argues.

“It puts the responsibility and burden of ensuring the confidential and safe handling of such data to the customer. Now, are customers generally knowledgeable and empowered to do so?”

 

Third party risks

The FCA specifically noted “consumer risks” as a result of new payment companies entering the financial services sector because of the lack of regulatory protection in this area.

Account information services (AIS) and payment initiation services (PIS) were also named by the regulator as they too may not comply with regulation, putting consumers at risk of financial or data loss.

“There is a need for regulators to collaborate in the development of a new set of guiding principles and supporting the growth of the regtech industry,” explains Chris Hurst, contract security lead at BT.

“Most of these developments are cloud-based, which must be leveraged holistically to support the industry, the firm and the consumer security resilience goals.”

Hurst explains that the answer is not only more regulation, but effective and efficient regulation that is both clear and responsive to change for all parties in the ecosystem.

The issue of trust between financial institutions and the customers served by it was also identified within the FCA’s sector review. Authorised push payment fraud was highlighted as a significant concern, particularly as consumers lost £168.2 million in this area alone in the first six months of 2019.

Historically, consumers have always trusted brands they have heard of and those have been around for a long time. This means in the past, it has been hard for new companies to gain consumer trust.,” says Farhana Draine, head of legal and compliance at Flux.

“Now consumers are more trusting to new names without the legacy reputation. This new trust and technology are the key drivers for change in the financial services space.

The trade-off for accessing these new technologies is a potentially higher risk for consumers in terms of security, warns Ms Draine, so it’s essential fintechs and regulatory bodies make any potential security risks clear when a consumer signs up.

 

Staying safe

Cyber-crime has naturally become an issue of contention for the regulator with companies reporting just short of 500 incidents relating to technology and cyber within financial services last year, with the most common causes being management issues, third party failures and hardware or software failures.

Mr Hurst says that the industry must now move on from its defensive, reactive security, liability shifts and compensation for consumers and move towards offensive security that protects the whole ecosystem.

“This is how it can demonstrate to consumers that it deserves their confidence and trust,” he adds.

“The industry must assess this issue through a wider lens and apply data science to address the fact that the consumer continues to pay for breaches.”

The movement towards a cashless society was the final area discussed by the FCA in the sector review, with the trend having the potential to negatively affect 1.9 million customers that frequently use notes and coins as their preferred method of payment.

“Consumer demand, new technologies and the cost of accepting cash payments is driving a shift to digital transactional banking,” the FCA said.

“Innovations in digital payments decrease cost and increase convenience and safety for both businesses and consumers. At the same time, vulnerable groups may become digitally excluded and find it difficult to participate in the financial system.”

Mr Hurst says: “The consumer is presented with a variety of ways to pay and channels through which to do it, but their objectives haven’t changed, they continue to expect that the industry will protect them from losing their money to theft and fraud.

“Ultimately, they will assume that technology is safe because it has been allowed by authorities.”