Compliance & Risks
Understanding Open Banking and the (Cyber) Security Imperatives
Open Banking has crossed the glass barrier to become ‘common place’ from ‘exotic’, where it was not very long ago. ‘Open’ could be better understood in terms of access, interaction, and share. Take the example of an Open University, where faculty, students, courses, and contents are not confined to the physical boundaries of a campus. Learning and benefits of knowledge gets democratized, benefitting players and the eco-system. Open banking is something akin.
This knowledge series, that I am starting with this piece, aims at opening up the fundamentals on a set of topics which are topical and current. The goal is to bring basics and arouse your interest to dive further based on your requirements and interests.
Open Banking came in steps, some small and incremental and others, quantum, and paradigm shifts. Like digitization, open banking had its root in better productivity, which included both accuracy and speed. It also aims at the other key enhancements, which Brett King, in his famous book Bank 4.0, calls as shifts from Product to Platforms to Experiences. As customers and managements demanded greater efficiency and ROI, customers wanted ever better experiences. Regulators and policy makers wanted non-discretionary elements such as transparency of charges, auditable security, and supportive innovation. At the same time, the aim is that new innovative firms and new entrants are not subjected to the monopolistic practices of the large, entrenched players.
As data, whether owned, taken from public sources or taken for structured use from a partner eco-system, is at the core, Open Banking has its foundation in making data ‘Open’ for usage by ‘Third Party’ service providers. The ‘Third’ party concept is the key to the understanding of the Open Banking. The Bank and its customers are the first and the second parties, who between them have identity, authentication, transactional, consumption and financial data. Let us think of a financial transaction that were to take place in the form of payment. A customer has ordered merchandise in an e-commerce site and the sellers needs confirmation and payment in a fast and reliable way to improve customer experience by delivering the goods or services. In the earlier ‘Closed Banking’ system, the customers mandate in the form of a cheque or letter had to touch the counters of the Bank, which was followed by several steps like signature verification, limit verification, arrangement verification etc., for the process to be consummated. In the Open Banking world, the task is completed using the ubiquitous API or Application Programming Interfaces. Under this, computers through pre-agreed and pre-programmed secured computer codes, called interfaces, talk to each other, share and validate virtually, record and settle transactions.
The Third parties, which mainly are tech startups and on-line financial services vendors, offer huge innovation led advantages to the customers in the form of new products, experiences, speed, visualization and bench marking. However, they are constrained by data and access to the customer information. Therefore, they must have the ability to access such data to provide the products and services. The Banks, which are custodians, need a framework to provide such data as well as must have few benefits of such sharing, despite incurring costs of data storage and management.
The policy makers aim at providing systemic stability and growth while preventing data breaches, privacy compromises and frauds. The entire framework that handles this move forward, is known as the Open banking framework. The customers benefit from access to innovation, the Third parties monetize their innovation and Banks get aggregated MIS and analytics enabling them to create new product and service offerings.
As much as APIs are at the core of Open banking, what really happens? The essence of open Banking is creation of Open data networks. The basic foundation of a network is connectedness. For example, in a road network, roads, bridges and interchanges must be created, density of traffic and type of usages assessed and factored in so that the appropriate technology and lane architecture could be deployed. Open banking is a lot similar. The individual or modules of such networks are created and are accessible based on underlying technology, integration, contracts, arrangements and usage guidelines.
A beginning of open architecture in banking was a ‘one to many’ architecture through aggregator network. In this, based on consent and permission, an aggregator could call through APIs data of a particular customer of many entities, directly from all such entities, aggregate, analyze and display them for the benefit of the customer. When we make this ‘many to many’, with deployment of technology like context sensitive IOT, AI and algorithms and visualization we get Open Banking. Appification which does a large amount of end-point computing (Your mobile or tablet could be working as an end point as it hosts third party apps, takes your consent and pulls or pushes data from and to your banks). The beauty of open banking like the open university model is that the consumer is part of the delivery of value. She decides and defines her own limits and levels, decides the pace of completion and choses the device and the network. The provider of open banking provides innovative technology and interfaces.
Like anything that is open, risks and security aspects of open banking can never be over emphasized. The convenient access to financial data and services exposes the players to data breaches, privacy compromises, malware attacks and dent to security of customer data. All these could lead to actual losses and potential claims.
As data is shared with third party providers, unauthoriseed access is a real possibility and hackers may exploit vulnerabilities in the APIs which are preponderant, and gain unauthorized access. Malware and phishing attacks are also a strong possibility by mimicking original website of banks and tricking customers. Open Banking also suffers from the threat of lack of standardization and support which could compromise the standard cyber risk management protocols that are followed in non-open software. Insider threats, because of multiplicity of players and platforms also get accentuated in Open banking. The cloud play in open banking is quite predominant, due to the nature of the concept.
There are multiple ways in which risks of open banking are managed.As McKinsey mentions in their March 2023 article on CEO actions, managing risks from disruptive technologies such as Open banking occupied the minds of most CEOs. Familiarization is critical to prevent and manage security incidents. At the same time, transparency of technology and operations shall always be a moving challenge, as open banking gets deployed more and more. There is near unanimity that regular assessment of the security posture, VAPT of the API library, collaborating with the regulators to work towards common security standards for open bankins shall be the key to make open banking secure while harnessing its great potential.
Some of the developed countries have started articulating and deploying standards for the APIs that are proposed to be used in Open banking. For example, in UK, Financial Grade API(FAPI) prescribes a separate data authorization framework, security provisions for the server and clients. How securely these APIs get configured can also pose a risk.
It is therefore critical to deliver a platform based approach to addressing and containing these cyber challenges for open banking infrastructure at scale. At the same time adherence to global and local regulatory norms in non-negotiable too whether it is securing cloud infra -one of the key components in building open banking platform, application modernisation, minimising breaches from misconfiguration, ensuring secure authentication. From the risk and governance aspect, managing attack surface risks i.e discover-assess-remediate for the attack surface, real time status of risk score and posture with an ability to prioritize will be fundamental to adopting platform led delivery approach. Deployment via security as a code with API enabled tools that support continuous integration and delivery by baking security controls directly into developer processes are absolute necessary to securing complete SDLC journey.
Security across Cloud, Endpoints that have over-arching XDR capabilities that provide comprehensive detection and response, risk insights, coupled with security analytics +threat intelligence besides the API security and Data privacy are some of the very important considerations for delivering secure open banking services.
As some of the best practices, encrypting exposed web applications’ data in transit and at rest, implementing strong authentication and access controls, and following secure software development methods will go a long way in thwarting risks early. Regular security assessments and incident response planning can also help to identify and address potential vulnerabilities and threats. Accelerating compliances by automating security controls will also be the need of the hour.
The promise of Open Banking is huge due to its innovation core and decentralized architectures. Newer customer journeys are likely to be on-boarded on Open banking protocols in the coming days. Their success however will be defined by how secure we build these journeys for the end user and the entities involved. This points to the fact that as the innovative potential of the Open banking is subjected to continuous improvement, so should be the security of the components of open banking. It has to be a collaborative effort. The Reserve bank of India in its latest series of guidelines, including those related to open source and outsourcing, have been emphasizing a set of standard best practices including references to global best practices, which are very instructive and are in line with the recommendations provided in this blog. Security is an evolving and ever-enhancing subject, and we must be continuously improving the way we do security of Open banking
To learn more about securing open banking platforms, please refer to Trend Micro’s documents:
Mrutyunjay Mahapatra
Independent consultant, Author, Public Speaker, Digital leader, and Senior Banker. Presently, member of the Governing Council of Reserve Bank Innovation Hub, Member of the Board of Supervision of NABARD. Former MD & CEO, Syndicate Bank, Former Dy. Managing Director, and head of Digital, IT and Strategy at SBI and Member of Corporate boards including Canara Bank, NPCI, DSCI, C-Edge and others.