What Open Banking means for the security of our money

Constantly described as disruptive, fintech has the potential to change how businesses and consumers manage their money.

From banking to payments, fintech could be transformative, as new business models are developed and consumers increasingly move away from established financial service providers.

Technology hype and attractive new services aside, it's important to consider whether, in this brave new world, these profound changes are happening in a secure environment.

Cyber crime becomes personal

The continued rise of cybercrime is clearly a threat for the fintech industry that is making leaps forward with financial services management and delivery and is therefore, highly attractive to cybercriminals.

According to the current cybercrime report from Cybersecurity Ventures, it's thought the global damage by cybercrime could reach $6 trillion by 2021.

As fintech has continued to evolve, the attack surface has similarly expanded and attacks are now highly personal as a result of the explosion of mobile applications. This added risk of cyber extortion and botnet attacks on the mobile platform compounds the risk of fraud, adding a greater burden to security that's already struggling to deal with any potential weaknesses in the cloud-based services a core component of the fintech industry.

The changing attitudes of consumers towards their financial lives means they are actively seeking new service providers. These new services could be the major players in the existing tech sector or come from other sectors entirely.

As PwC explains in its Embracing Disruption report: "By 2020, consumers will need banking services, but they may not turn to a bank to get them. Or, at least, maybe not what we think of as a bank today."

Will LaSala, director of security solutions and security evangelist at OneSpan, explains that often security doesn't feature highly on a fintech provider's list of priorities.

"Fintech companies leverage cutting-edge technology in new ways, and so their products are usually built for speed to market. This often means that they will not use proper security techniques and controls, especially if doing so means they won't be able to meet their time to market needs."

Consumers and businesses alike have to trust the financial service applications they are using. With headlines filled with stories of continued cyber attacks with personal information compromised, offering new financial services must ensure all security protocols and systems are adhered to.

Open security?

The Open Banking Initiative has been a major development in the growth of financial services and how they will be delivered in the future.

These reforms, which came into force in the UK on 13 January 2018, change the way banks are able to handle your personal information. Simply put, all banks in the UK must now allow you to share your financial data, such as spending habits and statements, with other providers or banks, provided they're authorised under the scheme.

The initiative is an attempt to increase competition and innovation within the industry - something that providers rely on to offer their new services.

However, it's proved to be a bit of a challenge for regulators, as it requires releasing data that has traditionally been hidden behind a single institution's firewall. Businesses within fintech would prefer regulation to remain the same, or even loosened to a degree to enable them to continue developing their open systems.

Open Banking, and the needs of fintech to access this information and transfer it between what could be multiple locations, therefore requires new levels of security.

Secure for now

In response, the UK has now adopted OAuth 2 as its preferred method of authenticating authorisations, a protocol that allows applications limited access to user accounts on an HTTP provider, such as Facebook. This also includes payments and access to the personal financial information some fintech services and applications require.

What's more, it only supports those service providers that have been authorised by the FCA (Financial Services Authority), a full list of which is provided here, allowing users to check whether their favourite apps are approved. The Open Banking Initiative also has a similar list of approved providers available here.

Open Banking Initiative lists its approved providers on its website

While some fintech apps are yet to be registered, companies have still adopted industry standards such as SSL, HTTPS and 128-bit AES encryption, so, for now at least, security has been maintained. Still, it's always sensible to check the full credentials of an app before using it, particularly as new GDPR regulations place tougher restrictions on businesses when accessing and using personal information, which includes aspects of your financial life.

'Open' in the context of fintech shouldn't mean turning our backs on the security systems that have been developed since before the dawn of the internet. However, we should be shifting our understanding of what financial security means in today's connected and sharing world.

The recent attacks on Virgin Bank using sophisticated phishing techniques only illustrates how important robust security is, and how active business, their customers and the wider public need to be in order to protect their personal information.

Commenting on the release of its annual 'UK Business Payments Barometer' report, Bottomline's Ed Adshead-Grant, general manager of payments, says that while security measures are successful, the impact of fraud continues to be significant.

"Anti-fraud protection measures seem to be working, and companies are getting more intelligent about managing their operations," says Adshead-Grant. "However, the real cost of fraud remains with investigations expensive and full recoveries elusive."

Securing FinTech

The security measures that have long been in place, in some cases decades, are making way for more open platforms. This doesn't necessarily mean they are less secure, but that they take a different approach to the security in their applications and services.

Andrius Sutas, co-founder and CEO of AimBrain, a firm that develops machine learning and AI-powered biometric authentication technology says that fintech companies shouldn't ignore their responsibilities around security.

"In order to prevent intruders and limit the impact of breaches, fintech like other connected communities relies on a layered security, or 'defence in depth', approach," explains Sutas. "Multiple layers of security are required across the ecosystem, including against physical and internal threats."

However, Simon Healy, industry director for financial services EMEA at UNISYS, says that many companies are struggling to get this right.

"The organisations that will succeed in taking advantage of Open Banking are those that manage to create bulletproof security whilst delivering frictionless and exceptional user experience," says Healy.

"From conversations with our clients in the space, we're finding this balance is proving the main challenge, and that many are turning to external partners to assist in addressing this tension."

David Howell

David Howell is a freelance writer, journalist, broadcaster and content creator helping enterprises communicate.

Focussing on business and technology, he has a particular interest in how enterprises are using technology to connect with their customers using AI, VR and mobile innovation.

His work over the past 30 years has appeared in the national press and a diverse range of business and technology publications. You can follow David on LinkedIn.