Open Banking and Security: How to Ensure a Safe User Journey
In a recent webinar, Open Banking and Security: How to Ensure a Safe User Journey, we teamed up with Sopra Banking Software (SBS) to discuss security in open banking and how to ensure a safe user journey without compromising the customer experience.
OneSpan is Sopra’s digital security partner. Sopra offers a Digital Banking Engagement Platform that makes it easier to engage in open banking. As the partner of choice for over 1,500 financial institutions worldwide, Sopra works with 95% of the leading banks in Europe and 60% of those in Africa.
In the webinar, Nicolas Darlavoix, Digital & Open Banking Expert with SBS, and Denis Vanhulle of OneSpan, explain how OneSpan’s security technologies integrate with Sopra’s Digital Banking Suite to protect customers and their financial data when using open banking services.
If you missed this popular webinar, here’s a 5-minute summary of what was covered. You can also access the full presentation on-demand.
What is Open Banking?
Open banking is a banking practice where banks provide authorized third-party financial service providers open access to their consumers’ banking and financial data. These third parties are then able to initiate and process financial transactions at the customer’s request. This process takes place through the use of open banking APIs (application programming interfaces).
Open banking is just beginning to emerge in the EU, with companies such as Revolut, TrueLayer, Tink, and others bringing open banking to Germany, Italy, France, the UK, Ireland and the rest of Europe. In the UK, for example, open banking is already used by two million active users as of September 2020, and about 63% of financial institutions in Europe are set to increase their budgetary spend on open banking.1
Open banking in Europe is governed by the second Payment Services Directive (PSD2). PSD2 requires banks to grant access to customer transaction accounts and customer data to authorized third parties. The regulation aims to lower costs for consumers and promote competition and innovation in banking.
Open Banking and Security: Security Risks and Challenges
During the webinar, Nicolas Darlavoix, an expert in Digital & Open Banking with Sopra Banking Software, expanded on the definition of open banking by focusing on the connectivity and orchestration of data, which is what the Sopra Digital Banking Suite delivers.
“Open Banking:
The connectivity and orchestration of data
between financial institutions and third-party
providers to deliver new products and services
to the market.”
“By connectivity, we are referring to the need to connect to financial institutions in order to aggregate, retrieve and exchange data. The orchestration is the part that manages and secures the data,” he explained.
“Security in open banking is a topic that is not focused on often enough. When it comes to open banking, financial institutions usually have their focus on the technical or business possibilities. But data security is just as important – and maybe even more so.”
The Digital Banking Suite delivers all services to connect and orchestrate in a secure, cost-effective and predictable way. The platform has an extensive library of services expanding way beyond open banking with services like customer onboarding, payments, finance management, loyalty and more.
Security is a critical component of open banking. It affects everyone participating in open banking. Open banking stakeholders and users fall into three categories and each faces their own security challenges and responsibilities:
- The user: The user, or the consumer, needs to identify themselves to the bank or the fintech. Users have the responsibility to identify themselves truthfully and accurately, and not execute any illegal transactions.
- The bank: The bank is also called the ASPSP (account services and payment service provider) in PSD2 language. The bank’s role is to be a gatekeeper. The bank needs to provide trust and know what is happening with their customer data. The bank also needs to ensure access security and comply with know your customer (KYC) and know your transactions (KYT) regulations, as well as data privacy laws. This is extremely serious and the risks of not fulfilling these requirements include data theft and data breaches; non-compliance penalties; and reputational damage.
- The fintech: Fintech companies or the third-party providers, like the bank, also need to meet KYC requirements to know which customers are onboarded. Likewise for KYT, fintech companies must know what kinds of transactions are flowing through the platform as they aggregate data and initiate payments. Fintechs also have a regulated set of responsibilities. They have a third-party provider (TPP) license and need to comply with the laws and regulations set out by the financial regulators. They also need to be very careful not to allow fraudulent transactions or aggregate fraudulent data.
Five Steps to Secure the Open Banking Journey
For each of the security challenges listed above, there are security solutions. Here’s a five-step plan to secure the open banking journey:
1. Invest in a secure digital platform
The best practice is to start with a digital banking platform as the foundation. A platform that has open banking services pre-integrated can be quickly deployed, and it’s a central place that can help you connect, store, work with, and secure your open banking data. There are many details to consider when implementing open banking, as some services can be consumed directly while others require banks to transform the data. All this is possible with microservices, such as security solutions, which can be built easily on the digital platform – and in some cases, as with OneSpan, already integrated into the Sopra Digital Banking Suite.
2. Authenticate intelligently
With this foundation set up, banks can start authenticating partners such as fintechs, as well as users. As banks add more services or capabilities to their open banking use cases, they need to ensuretheir solution has the functionality for strong customer authentication, also known as multi-factor authentication (MFA) for every open banking service in the ecosystem they are building.
3. Know your customer
The next step is KYC. Banks need to know who their users are and which partners they are connecting with on the platform. This involves their identity, as well as more in-depth data related to the endpoint devices they’re connecting from (to ensure they’re not compromised), geographical location, and more. All this is needed to protect sensitive data, secure the user journey, and ensure compliance with financial sector regulations.
4. Know your transactions
Banks now know which customers and partners are accessing open banking services through their digital banking platform, because they have authenticated them. The next step is to understand the transactions. Banks need to know which transactions are flowing in and out of their platform. Questions banks will typically ask include:
- Are these transactions unusual?
- Are they high amounts?
- Are they blocklisted?
- Which beneficiaries/payees are involved?
If there’s an incident, banks can trace the transactions. This is crucial for risk and compliance reasons.
5. Monitor and control
Once everything has been set up, it’s time to monitor and control. At this stage, banks will typically set up alerts for access, users, transactions, locations, amounts, and more. If there are anomalies, the bank will then be alerted.
Open Banking and Cybersecurity: 3 Key Elements to Minimize the Risks of Open Banking
OneSpan offers a variety of services related to the above steps, especially for authentication. Here are three of the most important ones as it relates to open banking on the Sopra platform:
1. Mobile app security
This involves collecting data from the mobile phone that is using the banking app. This endpoint data includes security information, such as whether the mobile banking app is operating in an unsafe environment. For example, if a user’s smartphone is rooted or has malware present such as a mobile keylogger, it is important to be aware of that in order to reduce risk. That’s why the first step is to analyze the environment that a bank’s app is operating in.
2. Risk Analytics
Next, banks can take the data from the authenticating environment and analyze it using OneSpan’s fraud detection and prevention system, OneSpan Risk Analytics. Risk Analytics uses a combination of predefined rule sets and machine learning. With rule sets, you can define which monetary transactions and non-monetary transactions (e.g., logins) are suspicious. However, fraudsters adapt very quickly, so machine learning can help a bank’s fraud team with real-time scoring to combat cybercrime and stay one step ahead of cybercriminals by identifying and blocking new threats.
3. Authentication
After analyzing device and transaction data using OneSpan Risk Analytics, the next step is to authenticate the user – in a way that matches the authentication challenge to the level of risk in each transaction. For example, if OneSpan Risk Analytics scores a transaction as high risk, banks can then use step-up authentication, also known as adaptive authentication or risk-based authentication, to challenge the user for a facial scan or selfie authentication to confirm the customer’s identity. Conversely, if the risk is low because OneSpan Risk Analytics has detected that the customer is using their registered mobile device, on the same wifi network they always use, and the transaction fits historical patterns, then the customer may not even need to re-authenticate.
Demo: Open Banking and Security, Without Adding Friction
In the webinar, we presented a demo to show how OneSpan and Sopra work together to ensure a secure and convenient open banking journey for all end-users. Taking a sample real-world scenario, we walked through the following steps from the perspective of the customer experience:
- The customer logs in to their banking portal, chooses a service involving a third party, consents to the data being shared with the provider, and agrees that the third-party provider can create a PSD2 connection for authentication.
- The customer is prompted to authenticate using a fingerprint biometric.
- Before the payment goes through, they are shown the details of their transaction and asked to confirm.
- If risk is detected, the customer might be asked to authenticate with a selfie or other authentication challenge. If no risk is detected, they simply approve the transaction.
- In the background, every action is logged by the OneSpan fraud prevention system. At any time, a fraud analyst at the bank can review the details for each event.
Closing Thoughts
To recap, the partnership between OneSpan and Sopra Banking is a powerful solution to help create safe and secure open banking journeys for financial institutions and bank customers. The Sopra Digital Banking Suite is already being used throughout the financial services industry in EMEA. As part of the solution, OneSpan, a leading provider of digital security, and Sopra Banking, the digital banking platform, work together to deliver open banking and security out-of-the-box and thereby reduce the risks of open banking.
Learn more at the Sopra Banking Software Marketplace or watch the full webinar presentation.