Open Banking is the democratization of banking – allowing consumers to access and control their privacy, banking and financial data. These third-party apps require user consent to protect data that flows between Application Programming Interfaces (APIs), which enable users’ financial information to be securely shared between banking apps and accounts. Some examples of leading Open Banking apps include Intuit’s Mint app, Venmo and SoFi.
Open Banking brings a great deal of potential to the financial services industry with innovative, easy-to-use apps and digital services that help customers with managing personal finances and loans. As a result, many large financial services firms such as PayPal, Wells Fargo and Visa are joining the Open Banking initiatives to enhance the user experience with Open Banking apps.
Open Banking is fundamentally about sharing data between parties. However, with any kind of data exchange, there is the risk of exposure if it’s not done in a safe, secure way. The Open Banking industry won’t reach the expected $43.15 billion by 2026 without the appropriate security mechanism, as well as the trust of consumers and partners. To gain that trust, it’s critical that Open Banking apps comply with relevant regulations and enforce strict security standards at the API transaction. Below are four critical steps for implementing the proper security guardrails for Open Banking.
1) Secure APIs with proper authorization controls to prevent data leakage
According to data from the OWASP Foundation, seven out of the top ten security vulnerabilities for APIs are related to identity and more specifically, authorization. This shows that for the technology industry at large, the era of managing identity outside of cybersecurity is over. The risk is pervasive as we’ve seen dozens of API breaches monthly. If an API is poorly written, object-level or function-level authorization issues can lead to programmatic data leakage which can then be exploited by cybercriminals and personal information ends up on the dark web.
The recent Experian data leak is an example of an API vulnerability that caused a large-scale data breach, exposing the credit scores of tens of millions of Americans. This weakness allowed any third-party user to find someone else’s credit score by searching their name and address and without any authentication, authorization or consent controls in place. While Experian has since patched the flaw, researchers believe other lending websites using the same API may still be at risk. If organizations don’t take control of their API security to prevent these issues, we will see more large-scale data breaches that can be detrimental to organizations’ reputations and revenue.
2) Adopt rigorous privacy consent control for API-centric services that share personal data
Open Data APIs are relied upon every day for seamless data-sharing and provide the ability to control who can view and edit certain files. That said, consumers today are much more concerned about the privacy of their personal data than when this capability became available – making them wary about how their information is being used by businesses. Due to this and security reasons, privacy consent management must be foundational for Open Data platforms, as authorization and consent are what ensures privacy is maintained. With today’s API-centric apps and services, consent has shifted the consumer mindset from “what data can I know about this app” to “what data can this app know about me,” and “what data can this app share about me?”
As a result of growing concerns about how tech companies use, store and share customer data, growing legislation continues to protect consumer privacy. To meet consumer privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), APIs must incorporate granular consent controls to prevent unauthorized exposure and sharing of consumer data. For example, Open Banking-enabled applications often communicate with numerous services and APIs that do not need access to a customers’ wide array of sensitive accounts and personal information, Consent must be granular allowing access for a given data element to be shared with a specific third-party application for a set period of time or number of uses.
Proper consent controls include automated authorization based on context coming from the user, the application, other entitlement data stores, fraud engines, etc. Discerning the “who, what, where when and why” and confirming that the person has consented to the sharing of that data becomes critical for regulatory and marketplace requirements. If the user sharing data to a third party application revokes their consent or reduces the data they are sharing, the third party must respect their choices. An instance where this went wrong is the Walgreens app error last year when a vulnerability in the Walgreens app’s API caused a data breach where customers could view the private medical messages of other customers. This could have been prevented if the right consent controls had been built into Walgreens’ API.
3) Abide by open banking data regulations at the API level
After the California Privacy Rights Act (CPRA) passed in November 2020, many other states and countries are following suit in implementing data and privacy laws to give consumers control of how their personal data is being used. In addition to those new laws and Payments Services Directive 2 (PSD2), the Open Banking industry already has stringent regulations in the UK, Australia and Brazil that must be followed to conduct business in those markets. PSD2 has been around for years and even provided the framework for data-sharing guidelines that spurred the development of Open Banking apps.
When it comes to managing consumer and employee identity, APIs should dictate how the app handles user data, identity governance, and who has access to privileged data. Therefore, it’s much simpler for companies to ensure they are compliant with these regulations if their APIs are updated accordingly or the management of that data is externalized into a third-party governance solution. Then, in the future, as regulations change or when federal officials start monitoring and enforcing these data laws at the API level, no-code changes are required to adhere to evolving security, regulatory and privacy demands.
4) Implement a zero trust framework – It’s no longer optional
COVID-19 and the shift to remote work greatly accelerated Zero Trust adoption in the enterprise. Zero Trust, sometimes known as “perimeterless,” is a model incorporating the key tenet of “never trust, always verify” to the design and implementation of IT systems. Implementing a Zero Trust approach has now become essential to protecting every enterprise, regardless of the industry. This is due to the increasing volume of cyber threats that organizations and individuals face on a regular basis, with the average data breach costing companies $8.64 million in 2020.
As a result of this growing issue, the Zero Trust Model must be the new security standard, in which all users, services and things, even those inside the organization’s enterprise network, must be authenticated and authorized before being able to access apps and data. With the shift to the cloud, there is no longer a traditional security perimeter around the data center, so the service identity is the new perimeter.
To implement Zero Trust architecture, you must authenticate all services, users and data separately and then authorize the data that flows between them. By placing access and data exchange enforcement as close to the service or API as possible, you can include Zero Trust controls for all decision points when signing and accessing Open Banking apps with sensitive personal information. This prevents Open Banking users from unauthorized access and data leakage risks.
Tapping into the potential of open banking
Open Banking adoption is quickly gaining traction, due to competitive market forces and purposeful legislation. One thing is clear: Open Banking is set to disrupt the financial marketplace. It will give rise to new types of services and tools to benefit the consumer and it will open new avenues and touchpoints for financial institutions to reach and serve their customers.
So, traditional financial institutions have a choice to either take a wait-and-see approach, meet bare minimum compliance requirements and risk being left behind or harness the power of Open Banking to better serve customers. By mitigating security and privacy risk and compliance exposures, financial services providers can streamline API-driven data exchange with confidence. With these security guardrails, industry innovators can focus on developing new apps and services that provide customers with insightful tools to boost financial well-being, while also keeping customer data safe.