Security and Compliance in an Open Banking World

Frederik Mennes Talks to Finextra TV About Regulatory and Market-driven Open Banking Initiatives 

Ícone de vídeo

Across the world, financial institutions are responding to market-driven and regulatory-driven Open Banking initiatives. In this video, Frederik Mennes, Director of Product Security at OneSpan, discusses Open Banking in the UK, US, Europe, Australia, and Asia-Pacific, and the security risks financial institutions need to be aware of when interacting with third-party providers (TPPs). Learn how FIs can address these risks, as well as what the challenges and opportunities Open Banking creates for neobanks.

Watch the interview in full or read the transcript below.  

Hannah Wallace: Hello and welcome to Finextra TV. I'm Hannah Wallace. And today we've been invited to OneSpan to talk about security and compliance in open banking world. With me now is the Director of Product Security, Frederik Mennes. Hello, Frederik. Thank you very much for joining us.

Frederik Mennes: Hello, Hannah. Thank you very much.

Hannah: We've seen open banking initiatives crop up across the globe. Can you highlight some of the open banking initiatives at play right now?

Frederik: As you pointed out, there are many open banking initiatives around the world popping up. They are different in various respects. But broadly speaking we can divided open banking initiatives into two categories – market driven initiatives and regulatory driven initiatives.

Market-driven open banking initiatives are open banking initiatives whereby the policy makers, the financial regulators, leave it up to the market participants (in particular financial institutions and third-party providers), to take the initiative to launch open banking. A good example of a country where this is happening is the United States.

A while ago the US Department of the Treasury actually issued a recommendation for a regulatory approach in the United States. But this recommendation was not implemented because the US financial system is highly fragmented, often state-based, and also because of the cultural aversion against red tape that might be the result of this type of open banking regulation. But this doesn't mean that nothing is happening in the United States. Actually, on the contrary, many of the major banks in the United States have started their own open banking initiatives and are working with third-party providers like Facebook, for instance, to make sure that they can obtain, acquire additional customers and also retain their existing customers.

Beside the United States, there are also other countries, especially in Asia-Pacific, where we see a market-driven approach. This is, for instance, the case in Japan, Singapore, India, and South Korea. For instance in Japan, the regulator is not mandating banks to take any initiative, but still Japanese banks have committed to working with at least one third party provider in 2020. And Japanese banks are committed to really doing this this year.

So, market-driven approaches exist in the world. It means that the market participants take the initiative, and it can certainly be very fruitful.

Hannah: And what about the regulatory driven initiatives?

Frederik: Besides market-driven approaches, we also have the regulatory-driven approaches to open banking. These regulatory-driven approaches have been very popular in the United Kingdom, and also in continental Europe so far. The open banking initiatives in Europe, in Continental Europe, have been mainly driven by the revised Payment Services Directive or PSD2, which has been issued by the European Commission and applies since January of 2018.

There are other regions and countries that also follow regulatory-driven approach, for instance in Hong Kong, an approach similar to the European approach is taken with the important difference being that financial institutions can actually choose which TPPs they collaborate with, which is very different from Europe.

But I would like to highlight, finally, the open banking approach in Australia. I believe this is the most ambitious and the most innovative approach to open banking that we have seen so far. Australia is actually moving beyond open banking and proposing an Open Data economy, whereby Australian citizens can not only request financial institutions to share their data with third party providers, but also other companies like energy providers, telecommunications companies, etcetera.

Hannah: That's interesting. Would you say Australia is leading the way then with Open Banking?

Frederik: I think so, yes. I think their approach is very interesting, very ambitious. And I believe that over time we will see similar approaches in other parts of the world.

Hannah: I think we should talk about some of the risks open banking involves as well. What would you say are some of the most important security risks that financial institutions need to be aware of?

Frederik: Open banking brings very different security risks to both financial institutions and third-party providers such as fintech companies. It’s very important that these companies deal with the security risks as soon as possible as they start participating in the open banking regime. There are largely three types of security risks that I see.

First of all, open banking means that financial institutions will open up their IT systems, share data with third party providers, TPPs. Now, it's very important that only licensed, authorized, and therefore trustworthy third party providers can obtain financial data from financial institutions. If unauthorized, perhaps malicious TPP, would be able to obtain financial data from a bank, this would have an enormous impact on the confidentiality as well as the integrity of financial data which could ultimately also be negative for the reputation of the financial institutions.

Secondly, the second risk that I see relates to the authentication of the payment services users, so the users of the applications provided by the TPPs. So it's very important that these users are properly authenticated when they try to access a bank account held by financial institutions. Now, we don't want to see a situation whereby a user of a TPP application can obtain unauthorized access to a bank account that is perhaps under the control of someone else.

The final risk that I want to mention is that, well, financial institutions have to realize that TPPs now make parts of the security parameters of their IT infrastructure. So, in a certain sense, the IT infrastructure of the bank is now going to contain the IT infrastructure of the various third-party providers. So when a TPP is compromised, it could have also negative effects on the bank.

Hannah: Would you say that's complicating things then?

Frederik: Yes, it's certainly increasing the risk postures of financial institutions, and they have to be aware of this and deal with it.

Hannah: You've highlighted the risks there, so my next question, naturally, is how can financial institutions can address these open banking security risks?

Frederik: Luckily, there are many ways that these risks can be addressed. The first risk was related to unauthorized access by TPPs to the open banking interfaces of financial institutions. Well, this is addressed under certain open banking regimes by requiring TPPs to digitally sign all the requests that they send to open banking interfaces. This means that TPPs would have a public private key path with a corresponding certificate issued by a trustworthy certificate authority to authenticate themselves when they communicate with the open banking interfaces.

The second risk that I mentioned was about authentication of the users of the TPP application. There are different approaches to addressing this risk in different open banking regimes. But if we look at the approach in Europe based on the revised Payment Services Directive, financial institutions will have to authenticate the users of TPP applications when such a user wants to access his bank account. And PSD2 pays lot of attention to the way this authentication has to be performed, so it mandates two-factor authentication, it mandates transactional authentication based on dynamic linking, it also requires transaction risk analysis to be performed in order to spot fraudulent access attempts and fraudulent transactions.

And then finally, the third risk was about incidents happening at TPPs, like data breaches that could also impact financial institutions. And, again, PSD2 pays a lot of attention to the security of the infrastructure of TPPs. So these requirements are about creating security policies, they talk about proper network security controls, performing penetration tests to proactively detect vulnerabilities, etcetera.

Hannah: Well, you've certainly described the risks and how to address them really well there. The last thing I would like to talk to you about is neobanks and what open banking means to them?

Frederik: Neobanks are a new type of banks who typically have a digital-only approach as compared to incumbent banks. They typically focus on the younger generation millennials who have a tendency to prefer digital interactions with their financial institutions. Open banking, I believe, is equally important for neobanks as for traditional incumbent banks. Neobanks are subject to the same open banking regimes as incumbent banks are, but given their preference for digital services, I believe they will be more likely to become active sooner in the open banking era than perhaps some of the incumbent banks might do.

Hannah: So as well as everything else, that is definitely a space to watch. But Frederik, for now, thank you so much for sharing your insights. It's been a pleasure.

Frederik: Thank you, Hannah.

Cover of a physical copy of the OneSpan Global Financial Regulations Report

OneSpan Global Financial Regulations Report 2020

Keep pace with the latest regulatory changes driving digital financial services.

Download Now

The information on this site is for informational purposes only and does not constitute legal advice. We recommend that you seek independent professional advice. OneSpan does not accept liability for the contents of these materials.