Open banking is coming up to the fourth year of PSD2 as a regulatory requirement in the UK. We can see the impact it has already had, and the predicted growth for the year to come. In addition, the pandemic has driven the growing demand for flexible financial services, and this has transformed how consumers and small businesses leverage their financial data.
by Travis Spencer, CEO, Curity
Open banking has allowed third-party organisations to access data through APIs to create a frictionless experience with better products and services to manage finances.
As APIs continue to give financial institutions the ability to connect to both customers and businesses alike, security has become more important than ever. It is vital to evaluate the various measures that financial services need to adopt to thrive in a safe and secure way.
Carefully managing financial data has always been of the utmost importance for businesses. Failing to do so and leaving sensitive data to fall into the wrong hands can be critical for consumers, businesses, and banks. Financial-grade API security is paramount when it comes to exchanging data and financial information between institutions and third parties such as FinTech vendors and other partners.
Complexities of authenticating
It is important to have solid confidence in the users’ identity. This requires a Strong Customer Authentication (SCA) method, which generally translates to a high Level of Assurance. This is accomplished to some degree by using multi-factor authentication. Similarly essential, users must prove their identity as part of the registration and authentication process. To achieve this, the regulators require standards-based proven methods that ultimately result in a token (i.e., a ticket or memento) that encrypts and secures the identity of the user, their authentication method, and provides assurance that the user represented by that token really is who they say they are.
Users confirming consent
Authentication is important, but, alone, it isn’t enough. Open finance regulations are clear that users must consent to a business accessing certain data or performing an action such as creating a transaction. But it must also be possible for users to manage and even revoke their consent through an easy-to-use user management service.
Protecting users’ data
Securing and protecting users’ data can be a difficult task, but it’s a critical one in open banking. It takes a long time to develop trust – particularly when finances are involved – and it can be slashed in seconds if users lose confidence in a business’s ability to look after them and their data. As well as costing customers time, money, and resulting in extreme dissatisfaction, this can ruin a business’s reputation. Consequently, the safety of user data must be prioritised.
A blend of various procedures, frameworks and processes can be introduced to mitigate the risk of fraud, leaking or manipulating data and violating privacy. This is an opportunity to ensure consistent security practices are implemented across the board. Standards and directives such as PSD2 are designed to protect user data, as well as securing bank services. Businesses need to ensure they are investing in the right technology to adhere to these standards. By choosing solutions that automatically implement these specifications, businesses can reap the benefits of a secure customer database which will help improve the customer experience to build credibility and trust.
Prioritising skills
Businesses must also invest in their teams. It’s not enough to simply put protocols in place. Design and execution require a specific set of skills which, unfortunately, are high in demand and low in supply. Recent research commissioned by the UK Department for Culture, Media and Sport found that half of businesses in the country (approx. 680,000) have a basic skills gap, lacking staff with the technical, incident response, and governance skills needed to manage their cyber security. Meanwhile, a third (approx. 449,000) are missing more advanced skills, such as penetration testing, forensic analysis, and security architecture.
Regardless of being essential – considerably more so as services are progressively digitalised, cybersecurity skills are often poorly understood and undervalued by both management boards and within IT teams. This can prompt a lack of investment in training, mishiring, and poor retention of staff in security roles. This only intensifies the challenge of building a team that possesses the requisite skills.
Hiring can be hard when there’s a deficiency of skills and abilities, so businesses need to be innovative. This means considering new recruitment avenues and, importantly, breaking free from the conventional model of what cyber security professionals look like. Curiosity is vital, so, for more junior roles especially, attitude should be a key qualification. Businesses should trust that many skills can be acquired on the job if the candidate has the essential fundamental knowledge and drive. To help with this, employers should provide training and mentorship.
The future is looking bright for financial services. The way banks do business and how consumers manage their financial transactions will continue to revolutionise. New opportunities and new practices are likely to arise meaning security remains an important factor to combat any future requirements.
As we continue to assess financial-grade security and authentication protocols, success will also rely heavily on expertise and know-how. The skills gap in security needs to be considered to ensure that flexible finance options within open banking and open finance can be utilised without compromising security. Businesses must ensure they are prioritising training for the team to close this skills gap and improve practices across the industry. There is a massive opportunity to push protocols and standards across the board, as it will not only help to ensure a high level of security but also makes skills more transferable in the long term.