Does open banking create open fraud?

The banking industry is one of the most competitive in the world. As such, it has to stay ahead of the game to maintain customer interest. A great customer experience is a fundamental innovation that the challenger banks have taken to new levels forcing traditional banks to look to new capabilities. One of the areas that has created waves in the industry is the tenets of the second Payment Services Directive, PSD2. Whilst banks and other financial institutions have been in the weeds of the Secure Customer Authentication (SCA) requirement of PSD2, another part of the regulation has begun to bear fruit. Open Banking is now alive and kicking and being used to drive applications and services.

But does Open Banking create a problem when it comes to financial fraud? And, how can Open Banking be used securely across an expanded ecosystem of services, with increasing transaction volumes, whilst reducing fraud?

A Quick Review of Open Banking

Open Banking is part of the EU’s PSD2 regulation; the original specification for the Open Banking API standard was released in 2017. However, this area of the regulation has had a slow start, until recently. The basic concept behind Open Banking is to allow consumers and small businesses to more easily access and share financial data. In the first instance, banks enacted the requirement in the form of a trimmed down version of the API, which allowed customers to search for available ATMs and banking products. More recently, banks have matured their Open Banking offering and the uptake of Open Banking API capability in the UK and Europe, at least, has swelled. This seems to be repeated across other areas of the world, with the “Open Banking Report 2019”, showing that other countries are following. Around 87% of all analyzed countries surveyed said they had open banking initiatives in readiness.

Open Banking is based on the use of an Application Programming Interface or API. The bank essentially exposes, through an API, customer data. For example, a customer may wish to purchase a product; using an Open Banking enabled service, the customer would be asked to log in to their bank account and consent to share certain data, which would then be passed to the requester. To complete the transaction

Whilst this sounds simple, the implementation must be done in a highly secure manner. However, the concept is expected to revolutionize the industry and signs are that it is already showing progress; Plaid, an Open Banking API aggregator was acquired by Visa for $5.3 billion earlier this year. More Open Banking aggregator vendors are entering the space and integration with Open Banking is being made easier through initiatives such as the UK’s Open Banking Initiative.

The bottom line is that Open Banking facilitates the user-centric sharing of financial data between services. Entities that want to use Open Banking to provide products must be regulated by the FCA/EU equivalent and register as an Account Information Service Provider (AISP) and/or get authorized as a Payment Initiation Service Provider (PISP).

Open Banking Applications

As Open Banking continues to mature, more banks hop on the Open Banking rails offering their own API to connect up to. There are thousands of banks across the UK and Europe that can offer Open Banking API support. Individual vendors can connect directly to the APIs on offer or use an API aggregation platform that offers a single API connector to access, often, 1000s of Open Banking APIs. The result is a slew of products entering the market in areas such as:

Digital identity

Identity Network products and “hubs” are starting to offer a more seamless connection between retail and banking and not just to carry out a financial transaction. Identity Networks use Open Banking to utilize the KYC/CDD that a bank has performed to demonstrate an individual “is who they say they are”. Some systems are even using Open Banking to effectively ‘decouple’ from the concept of a fuller digital identity and use Open Banking data to assure a transaction without any data being held in a central identity account.

Money management and account aggregators

Open Banking allows traditional banks to swim in the same innovation pool as challenger banks. A number of banks are now starting to build products around Open Banking. For example, account aggregators allow a customer to use a mobile app to view and consolidate data across several different bank accounts.

Product matching

Several apps are entering the market that offers a financial match product service. For example, Open Banking enabled apps that offer mortgages tailored to financial profiles.

Fraud Threats and Open Banking

With all of this personal and financial data being shared, surely there are fraud implications? Whenever financial data flows, cyber-criminals follow. The following areas are some of the places where financial fraud may creep in, enabled through Open Banking poor implementation:

Fraud and transaction volume

Open Banking is designed to make it easier to transact digitally. The result is likely to be increased online financial data sharing; it may also mean increased personal data being shared if ID Network use of Open Banking takes-off. Increased volumes will attract fraudsters. This is borne out by research from ACI Worldwide and Global Data. The report predicts an increase in real-time payment transactions by over 23% to 2024, which equates to around 53 billion transactions. Fraudsters are known to use massive traffic volumes to hide fraudulent activities. This is something that EastNets has explored in our surveys on fraud in the financial sector. 

Being able to keep track of this volume of data flow requires smart, artificial intelligence (AI)-based technology. Outdated fraud detection systems are not able to modulate their hard-coded rules to take account of fast moving and massive volume-based connected services.

The API connection

A single interface is great for seamless transactions. It can open up vast opportunities to innovate around an engaging Customer Experience (CX). But it is also a single point of attack. New applications that allow consolidation/aggregation of disparate accounts could be low-hanging fruit for fraudsters if not implemented securely.

API security and hygiene are crucial in any system that utilizes an Open Banking API either directly or via an API aggregator platform.

The consumer in the machine

With a more seamless and integrated banking system come issues of social engineering. Customers may become complacent in being redirected to log in to their bank via an online service. This complacency could potentially be exploited by fraudsters. Man-in-the-Middle attacks are a possible exploit, fraudsters using a fake retail or bank front end to intercept a transaction, change an amount, and/or steal bank login credentials.

Care must be taken to ensure that connections are secure, and customers are made security aware.

Having Your Banking Open and Safe

Open Banking has enormous benefits to the entire ecosystem of players in this space: This includes banks innovating to create new products; customers having more seamless and simplified experiences; eCommerce being able to remove barriers to sales. Open Banking facilities the expanded ecosystem of services needed in a world where “connected everything” is swiftly becoming the default. But, as ever, cyber-criminals are looking for any opportunity to exploit these connected systems. Open Banking is bringing new anti-fraud challenges to the market that require a step-up from traditional methods of fraud checks.

The Open Banking Expo explains that to reduce fraud in Open banking systems, stakeholders must utilize “technology developments such as artificial intelligence, machine learning, robotic process automation, and blockchain designed to assist in improving financial crime challenges.Smart machine-learning-based fraud detection is key in managing this new paradigm in banking. The versatility and ability to automate the detection of new fraudulent activities is crucial in a hyper-connected payment ecosystem. Vast transaction volumes place massive overload on traditional anti-fraud checking services. The flexibility of ML-enabled rules and algorithms is needed to maintain payment speed and improve accuracy in fraud detection.

Contact us today for a consultation: