Security is Key to Fostering Consumer Trust in the Open Banking Ecosystem

When FBI investigators asked the notorious armed robber Willie Sutton why he targeted banks, he replied: “It’s because that’s where they keep the money!”. This story arose at a time when money was stored as physical cash and robbers needed to either blast their way past the heavy security measures or hold up the bank staff at gunpoint. 

Seventy years later money is still largely to be found in banks, but in electronic form, and secured behind firewalls, identity and access management frameworks, and an array of passwords, biometric defences, and cyber defence and counter-fraud tools.   

The success of the banks in preventing theft means that armed bank robbery is thankfully very rare, and criminals have increasingly turned to remotely entering a bank’s systems. In response, banks have made significant investments to reduce the effectiveness of direct attacks which penetrate a bank’s infrastructure to divert payments or access funds and so the bank robbers have turned their attention to fraud.  

Fraud now comprises almost 40% of all reported crime, and identity fraud, account takeover, misuse of a facility, and scams are the four horsemen of the fraud apocalypse. Criminals have pivoted to social engineering, which is intended to trick customers into initiating a payment or giving up the credentials they use to access an account.  The customer is now widely acknowledged to be the weak link in the bank’s defences and enormous efforts are now being put into stopping scams, from confirmation of payee and dynamic messaging to the deployment of sophisticated behavioural biometrics. In many ways, the rise of scams reflects the success of the banks in strengthening security and controls, driving the fraudster to manipulate, con or persuade genuine customers to give up credentials, initiate payments or allow their accounts to be used for nefarious purposes.

The ill-gotten gains from fraud and other crimes also need to be laundered.  Bank controls have made it more difficult for the criminals to use fraud to open accounts for this purpose, leading to the creation of an army of Money Mules – customers willing to allow their accounts to be used for that purpose – and a criminal class of Mule Herders who actively recruit mules through social media. Money laundering and fraud are part of a continuum of financial crime which targets the customer.

Open Banking security, fraud, and financial crime risks

Open Banking is part of the wider financial services ecosystem and expands the perimeter, or attack surface, for fraudsters to infiltrate. It is increasing the number of entry points for fraudsters to exploit and although the ability to initiate payments from more sources is a boon for the customer, it also provides new opportunities for fraudsters. Currently, the risk remains with the bank which continues to have responsibility for authenticating the transaction, but this may change as more payments are initiated by TPPs and customer authentication is taken on by the TPP. 

In short, there are no new fraud types created by Open Banking but there will be new opportunities for fraudsters. Linking accounts creates the potential for a fraudster to compromise a customer account to gain entry to all of their accounts. The sharing of account information and access through a single portal or app could provide a greater risk of data loss or compromise, so it’s imperative that TPPs have bank-level security and identity verification and authentication to protect the perimeter.

While the upcoming Transaction Risk indicators are a welcome addition, with the extension of the perimeter, banks may not have all the information they need to apply fraud analytics – such as IP address, device fingerprint, or geolocation – so it is vital that we share data and intelligence across the entire ecosystem.What is needed to provide security, anti-fraud, and AML compliance

The good news is that there are industry bodies that enable the sharing of data, intelligence, and learning. The Open Banking Implementation Entity (OBIE) has created an intelligence sharing group and Cifas, a non-profit cross-sector data sharing initiative that counts all retail banks amongst its membership, is open to all actors in the Open Banking ecosystem.

Open Banking has been created with security in mind and, together with industry experts, the OBIE has produced good practice guidance – The Security and Counter Fraud Good Practice Guidance – and also provides a counter-fraud maturity self-assessment tool to enable organisations to benchmark their counter-fraud and security approach.

Following this guidance and completing the self-assessment tools are the first steps to ensuring the right levels of security and anti-fraud controls are in place. But it is also essential to maintain an active security posture and keep up to date with the changing threat landscape.

For example, Identity Fraud cases make up over 60% of the cases on the National Fraud Database2 so the secure onboarding of customers with a high level of identity verification is a must, given that fraudsters will seek to impersonate genuine customers and create synthetic identities to open accounts. Checking against industry-standard fraud databases to prevent identity fraud is a necessity for all TPPs.

The importance of trust

To be fully successful, Open Banking needs to build and maintain public confidence and trust. Customers expect that they, and their transactions, will be safe and so it is incumbent on TPPs to invest appropriately in layered defences; deploy effective on-boarding identity verification; and uphold safe platforms that keep consumer data secure. 

Fraud risk is likely to grow with greater adoption of Open Banking and in particular with increased volumes of payment initiation. However, Open Banking can also be a means to improve security and reduce fraud and financial crime, in particular in relation to digital identities and KYC checks.

Bank robbers, like Willie Sutton, didn’t give up trying to acquire money illegally because banks built stronger safes – they changed their tack – turning to fraud and increasingly looking for the weakest link.  Let’s make sure that Open Banking is not seen as the weakest link by joining the existing counter-fraud community and sharing data, intelligence and learning to create a common defence.

[The author of this article, Michael Huffman, is Director of Fraud at GoCardless]

Helen Child, Founder & CEO, Open Banking Excellence