Why open banking apps must stay secure to earn consumer trust [Q&A]
Traditional banks are realizing that they must develop more user-friendly open banking apps if they're not to lose customers to fintech startups.
But it's critical that these apps gain the trust of consumers if open banking is to succeed. We spoke to Jasen Meece, CEO of Cloudentity to discuss how financial services companies can ensure their open banking apps and partners adhere to compliance standards and protect consumer’s personal data.
BN: What are the advantages of leveraging open banking apps for traditional banks and their customers?
JM: Open banking has opened new doors for innovation amongst smaller financial services providers that couldn't compete with banks before and has presented more opportunities for app developers to build new, popular open banking platforms such as Venmo and Mint. With open banking apps, users have more control over their financial data as they can see exactly where their money is going and who is able to access it. Since these apps enable people and businesses to manage personal finances and transfer funds directly from their phone, there is no longer a need to go to a physical bank. Additionally, open banking apps can serve a wider market of consumers, helping people who would otherwise not have access to banking services.
BN: What is the role of the application programming interface (API) in open banking technology?
JM: APIs serve as the gatekeeper for financial information exchanged between users and businesses in open banking. APIs enable shared data to seamlessly flow between apps, platforms and service providers in a safe and secure way. Then, these open APIs help gather data and present it to the customer in a user-friendly dashboard. From there, customers can view all of their assets, make payments, and find the best deals on loans, credit lines and more -- all from one place.
BN: What consent controls must be placed on APIs to protect personal data?
JM: The open banking industry is expected to be worth $43.15 billion by 2026. For the market to continue to grow and flourish, consumers and partners must be able to trust that the system is secure and that service providers are not mishandling private information. Therefore, financial services providers must place rigorous consent controls on their APIs to protect personal data from being exposed. This gives customers the ability to manage consent by allowing them to choose which third-party providers can obtain access to their data, which can share their data and when, and the amount of time they'd like their data to be shared. For example, when users log into their Facebook account, they must first grant permission before the app can post on their behalf or share their information with other third-party apps. Similarly, open banking apps need to obtain customer consent prior to sharing their data with other apps and financial institutions.
BN: Why are new data regulations critical at the API level and what do these laws look like?
JM: The acceleration of digital transformation during COVID-19 has given hackers even more opportunity to steal sensitive data from organizations that aren’t equipped with strong security protocols. To keep companies accountable, data privacy regulations are necessary to provide repercussions for businesses mishandling customer data. Compliance standards must be enforced at the API level because companies often overlook weak APIs in their system, which can result in data leakage or theft. In fact, Gartner predicts that APIs will be the most frequent attack vector for data breaches by 2022. Open APIs that don't have strong identity and authorization controls in place can easily be exploited by malicious actors and used to drain a customer's entire bank account. Financial services providers in the open banking ecosystem must make sure their APIs are completely secure to remain compliant with emerging and existing data regulations like Payment Services Directive (PSD2), UK Open Banking (OBIE), Consumer Data Standards (CDR) and the Financial Data Exchange (FDX). Additionally, organizations who do business in regions with data protection laws like Europe's General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) must strictly adhere to these standards, otherwise they may face major fines.
BN: For organizations that provide open banking services, what are the risks of non-compliance to data privacy regulations like the GDPR?
JM: Failure to comply with the data protection laws mentioned above can result in severe penalties, such as steep fines contingent on the breach impact, as well as corporate lawsuits against the organization at fault. Companies may also lose customer trust and permanently damage the brand’s reputation. Without customers and a reliable reputation, financial organizations that provide open banking services will not be successful.
BN: Why has identity and access management (IAM) become an essential component of enterprise cybersecurity?
JM: IAM should be at the forefront of any cybersecurity strategy, as managing and securing digital identities has never been more critical in today’s evolving threat landscape. Enterprises must adopt IAM solutions and best practices that can protect the identities of customers and employees, and also protect any sensitive corporate resources from unauthorized access. With proactive authentication controls in place, organizations can mitigate security risks, safeguard sensitive data and remain compliant with data regulations.
BN: Why is it critical for all companies to adopt a Zero Trust approach to IAM?
JM: Traditional IAM solutions are highly prone to security failures and complicate the authentication process. Instead, organizations need solutions that can improve security without hampering productivity. With a Zero Trust approach, every user must be continuously authenticated and authorized whether or not they appear trustworthy. By coupling IAM with Zero Trust, users are granted or denied access in real-time by policy based on their context (who, what, where, when and why) and transaction. This full risk profile ensures users are only authorized if the policy is matched. In open banking, this context may examine a third-party and determine if its behavior replicates the user's normal patterns, if it's exact location matches the user's typical whereabouts, or if its intended transaction value fits within the user's limit. Zero Trust can facilitate the IAM process, transforming the customer experience and ensuring organizations are complying with regulations. With a context-based Zero Trust approach to IAM, enterprises can establish better protection and usability based on the context of every data transaction, which also enhances the customer experience.
Image credit: Rawpixel/depositphotos.com