Traditional banks understand that in order to better compete in the industry, they must develop more user-friendly Open Banking apps to prevent losing customers to fintech startups with easy-to-use apps and digital services that help to find better deals on loans and more. As a result, many financial services firms such as PayPal, Wells Fargo and Visa are embracing Open Banking initiatives to compete with Intiut’s Mint app, Venmo and SoFi.
The Open Banking industry won't continue to grow to $43.15 billion by 2026 without the trust of consumers and partners. To gain that trust, it’s critical that Open Banking apps abide by compliance laws and enforce strict security standards at the granular, API level.
We spoke with Jasen Meece, CEO of Cloudentity to discuss Open Banking, security and compliance and how customer consent is the root of success for the industry.
How are Open Banking apps revolutionizing the way consumers and businesses manage their finances?
In traditional banking, only a small cache of financial institutions had control over their customers’ information, making it nearly impossible for new financial services providers to emerge in the market. Today, Open Banking has created a surge in opportunities for these smaller financial companies to offer more competitive services, as they now have the ability to openly access consumer data from banks and financial institutions. The booming Open Banking market has also increased innovation among app developers who are working to create new, go-to apps like Mint and SoFi. With these platforms, consumers can view exactly where their money is and who has access to it, putting the power of their financial information back into their own hands. Consumers can leverage these apps directly from their phone, saving them considerable time, money and hassle associated with commuting to a physical bank branch.
Why are Application Programming Interfaces (APIs) a crucial component to Open Banking?
Open Banking allows people to share their personal and business data, at their request, through the use of Open APIs. APIs enable users’ financial information to safely and securely flow between platforms, apps and third parties. From there, APIs collect and compile all of the shared data and display it to the user in an interface that is easy to operate. With this aggregation of data all in one place, customers can see exactly where their various funds are located, move them around as they please, make payments anytime and find the best deals on term deposits, credit lines, loans and more.
What are the privacy risks of Open APIs if they are not secure?
APIs essentially act as the gatekeepers of sensitive data, because they allow users and businesses to share financial information with one another. However, APIs that aren’t secured are highly vulnerable to exposure and can result in data leakage and theft. Malicious actors can easily exploit weak APIs and transfer money out of accounts or open new credit cards in a customer’s name. In other cases, if a competitor is able to access your organization’s financial data, they can offer more competitive prices or go after your customers to steal market share.
Why is customer consent critical to the success of Open Banking?
Since customer consent is the foundation of building trust between a business and a user, organizations must show customers that their privacy is respected by enabling them to manage their permissions. Open Banking APIs must support customers’ consent by giving them the option to choose who they want to exchange their data with, when they want to share their data and how long they want their data to be available. For example, some users may only want third parties to access their name and location but not their full profile, while others might want their transactional data shared for only one day. Obtaining customers’ permission for access is crucial to keeping Open Banking secure, as customers who don’t trust the system won’t want to participate.
How can Open Banking apps and partners make sure they are compliant with strict data privacy and security standards?
Open APIs that aren’t protected with strict security controls not only pose a significant risk to users’ sensitive data, they can also cause organizations to fail compliance with data regulations. Open Banking providers must adhere to privacy laws like the UK Open Banking Implementation Entity (OBIE), Payment Services Directive (PSD2), Consumer Data Standards (CDR) and the Financial Data Exchange (FDX), otherwise they can face steep penalties, lawsuits and even lose the business. Furthermore, the Open Banking ecosystem can’t operate if third-party app providers aren’t trustworthy and legitimate. Certain regions like the UK and Australia already have strict Open Banking requirements in place that require every business to undergo an authentication process before entering the ecosystem. To initiate trust and ensure compliance, Open Banking providers must build or update their APIs to include secure, automated authorization controls that keep data safe and respect user consent. As mentioned above, it’s also critical that organizations provide transparency by enabling users visibility into where, when and how their data is being shared. This capability also helps proactively identify issues in the system and resolve them before a larger problem arises.
What security guardrails must be placed on APIs to ensure sensitive data is protected?
In the Open Banking ecosystem, old and outdated security solutions can’t protect modern, evolving technology, as they are susceptible to attack and hinder productivity. To start, organizations must implement identity and access management (IAM) tools that can prevent unauthorized access to corporate assets and secure the digital identities of their customers, employees and business. Then, they must enforce a Zero Trust framework that confirms every user is who they claim to be with continuous, context-based authorization, even if they have appeared trustworthy in the past. This means verifying who they are, where they are from, when they want access, why they need access and what device they are using. These circumstances create a full risk profile of the user that helps determine if their policy is a match and if they can be authorized. Red flags may come up based on the device of the user, what time they are transferring funds or where they are located geographically. With a Zero Trust approach to IAM, organizations can ensure they have the highest level of security to protect financial resources, while enhancing customers’ overall experience and satisfaction.
###
Comments