Open banking is still relatively new and, in principle, the risks of fraud are lower than with other online payment methods such as credit and debit cards. But is this actually true? Are there potential vulnerabilities in open banking that aren't present with existing banking and payment methods?
The open banking regulations in the UK and Europe have only been in force for a couple of years. Although the underlying PSD2 (Revised Payment Services Directive) EU regulation came into existence in early 2016, it wasn't fully enforced until September 2019. Since then, the number of FinTechs and other companies - officially known as Third Party Providers or TPPs - making authorised accesses to bank customer accounts has steadily increased.
Some FinTechs use transaction data from banks to help their customers budget, apply for loans and manage their money. Others offer online payment services that are faster and more convenient than other payment methods. All of this is possible thanks to open banking APIs, which provide standardised methods of access to transaction data and payment protocols for authorised TPPs.
According to Jack Wilson, Head of Policy at TrueLayer, an open banking Trusted Service Provider (TSP) and intermediary that provides open banking APIs and related services, open banking doesn't increase risk. "Open banking payments are simply an overlay on existing payment systems," says Wilson. "Instead of a customer logging on to online banking to make a manual bank transfer to pay someone, an open banking provider enables the customer to initiate that payment more easily, for example within an app or on a merchant website."
Wilson also makes the points that: any payment initiated by open banking must be strongly authenticated with two forms of banking credential; if money is taken without authorisation, the customer is entitled to a refund from their bank; and the same is true if the money does not reach the designated recipient. Furthermore, Wilson states that open banking can actually reduce the risk of fraud because no card details are shared so there is no risk of those details being stolen and used fraudulently. Open banking payments already require SCA, Strong Customer Authentication (a form of 2FA), which card issuers aren't required to implement until September this year.
Kieran Hines, Senior Analyst, Banking, at Celent, broadly agrees. "When it comes to open banking payments," says Hines, "the requirement for strong customer authentication means that customers must run through the same authentication path as for logging into their bank's online or mobile service, which should provide a high degree of security." However, Hines adds that, "you can never eliminate risk," pointing out that any new channel or means for customers to access their data or initiate a payment will carry some degree of risk. The question is: how this is managed by banks and the wider industry?
It's a question that broadens the definition of risk. The risk to the customer appears to be small, since the banks are legally obliged to make good any fraudulent losses. But what of the potential for risk to the banks?
This is an area that interests Matthias "mk" Kröner, thought leader within the global financial services community and co-founder and former CEO of Fidor Group. "I would say that the biggest risk I see today is banks that are not prepared for the digital age,” he says. “Having a bank that is starting a digital journey but is not yet digital-savvy, that is the biggest risk that can occur in the market."
Kröner acknowledges that there's also a potential fraud vector relating to the APIs through which open banking transactions take place but he doesn't consider this to be significant. Such APIs are protected by encrypted and signed calls and responses, and so shouldn't be any more vulnerable than other methods of accessing online banking. "A bank that is not fit and proper for the digital age is a way bigger problem," he says.
In that respect there are significant differences around the world, and Kröner says this is largely due to different approaches to banking regulation. "Looking at Singapore, for example, the regulator tells the banks, 'we are shaping the market and we want you to be digital.' The regulator even oversees the banking user experience and holds digital 'beauty contests' to keep the market on its toes." Singapore also has the APIX initiative, which is an open exchange for know-how and solutions-sharing between young FinTech companies and incumbent financial services institutions. "This comes with a two-sided sandbox," says Kröner, "so on one side the incumbents can check their solution to a problem, while on the other hand the FinTech innovator can double-check its own requirements from the incumbents."
This is as one might expect from a small country with no natural resources to speak of, only intellectual ones. In banking and related matters, "Singaporeans tend to be ahead but European banks are not really picking up on this," says Kröner. He adds that, "the UK regulator is more similar to the Singaporean one than to European regulators. Maybe Brexit is pushing this, making it an incentive."
What's wrong with the European approach? Kröner gives the example of Germany: "The German regulator will say that shaping the market is not our job; ours is prudent regulation to protect German deposits. We do not influence the value proposition of banks because this is the decision-makers' jobs, and the shareholders'."
That may not sound like a source of risk, but Kröner believes that it is, because eventually the German banks will have to embrace open banking or lose business to competitors. That point of entry is what determines the risk level. "The risk of being a naive newcomer, in terms of cybercrime and fraud, is massive, simply massive," says Kröner. Yet it's understandable that banks would focus on their core business, being wary of entering new, dynamic markets until those markets have technically matured.
Banking-as-a-Service may be the solution, particularly for smaller banks that have a clearly-defined focus and customer base. Instead of trying to expand their product range in-house, they can test the water with a ready-made solution that has already been tested for security by many other open banking participants. The upside is that this reduces the 'naive newcomer' risk. The downside is that it's not really practical to differentiate services, to have a unique selling proposition, when using Banking-as a-Service.
So although the risks of open banking are very low for customers, the same cannot necessarily be said for banks. Sooner or later, even the most reticent bank will have to face those risks.