Open banking had become one of the key drivers of digitalisation in the financial sector long before the COVID-19 pandemic. The availability of application programming interfaces (APIs) for online banking has created a completely new market for third-party providers who make applications available for managing financial data across multiple banks. The aim is to make it easier and more efficient than ever for consumers to manage their income and expenditure. For instance, rather than logging into multiple applications from banks and payment providers, consumers can use one central app to monitor all incoming and outgoing payments across all their accounts. The second payment services directive (PSD2) of the European Commission paved the way for this by introducing new regulations for payment services and payment service providers within the EU.
In open banking, bank customers allow a Third Party Provider (TPP) to view their customer and transaction data. This can involve one-time access, for instance, for credit scoring purposes in conjunction with a credit application as well as continuous access – the latter being suitable as a data source for accounting software or personal financial management applications. In addition to querying data, the system can also be used to initiate payments. Along with current business and credit card accounts, forms of investment such as savings and deposit accounts as well as credit balances with online payment services such as PayPal can be included. In each of these examples, data is exchanged via secured application programming interfaces (APIs).
Bank customers remain sceptical
As is the case with most innovations, consumers have been relatively slow to embrace open banking. For instance, a global survey conducted by banking service provider Mambu revealed that 52 per cent of respondents had never heard of open banking. In fact, 61 per cent admitted to never having used open banking. Consumers’ underlying scepticism is reinforced by sensitivities surrounding financial information. After all, who wants to see app providers scrutinise their private banking data and sell it to advertising networks or other interested parties? And what if one’s data falls into the hands of hackers because the app developers failed to take adequate security precautions? To rule out such misuse from the outset, the practical implementation of the EU payment services directive is subject to strict legal and technological requirements.
Data portability requires explicit customer consent
PSD2 defines the law of data portability in all circumstances. By definition, data stored by a financial institution must always be made available to other service providers when the customer provides explicit consent. This is the only way for new applications to gain a complete overview of all income and expenditures or for automated deposits in investment accounts to be done. The data collection required for data portability is restricted by a combination of the PSD2 together with the requirements of the European General Data Protection Regulation (GDPR). The latter generally imposes data minimisation, which means that information can only be accumulated to the extent actually required to provide a specific service. Users must explicitly provide consent to their bank before specific data can be forwarded to a Third Party Provider. This consent only applies to the respective TPP and must be obtained separately for each additional TPP.
CIAM and MFA ensure security
Regulatory requirements such as these play an important role in building consumer trust in innovative services from fintech companies and banks. However, the technical security measures traditionally in wide use by the banking sector to prevent illicit login attempts and illegal data leaks are at least as important. The strictest security measures currently available are based on customer identity and access management (CIAM) with upstream multi-factor authentication (MFA) and biometric authentication. With multi-factor authentication, it takes more than just a username and password to log into an account. An additional factor must be incorporated – such as a one-time PIN sent to a mobile phone or an individual code number generated by authenticator apps. Biometric processes such as facial recognition of fingerprint scans offer the best protection against unauthorised access as they can be used as part of MFA to realise completely passwordless authentication.
The CIAM system serves as the intermediary between the user and back-end applications such as the customer database, payment systems and APIs for Third-Party Providers. For authentication, the system provides an access gateway that enables modern authentication from traditional web applications as well. What’s more, it incorporates an authentication server that permits multiple authentication processes – from passwords to physical tokens. It also supports authentication protocols such as OpenID Connect, SAML, WS-Trust and WS-Federation as well as the OAuth 2.0 authorisation protocol. The final core component is a user directory in which all customer identity data is administered. With a suitably configured CIAM system, banks and fintech companies are well equipped for the further expansion of the open banking infrastructure in the years ahead.