Putting security and privacy at the heart of open banking

Open banking does come with its risks. Imagine a customer who banks with a financial institution that has an open banking relationship with a third party offering other services. As a result, the third party has access to some customer details. If the third party experiences a breach, the customer’s details could become available to criminal organizations.

That possibility illustrates some of the biggest concerns with open banking: privacy breaches, data security, cybercrime and fraud. The financial services industry is already a significant target of fraud and hacking attempts, as shown by a 2018 report from Statistics Canada that found banks ranked highest, at 47%, for cybersecurity incidents in 2017. Open banking has the potential to magnify the impact of breach and cybersecurity incidents when they happen, which could mean reputational risk and erosion of customer trust for the banks.

The good news is the banks, according to Statistics Canada, were much more likely to have security requirements in place than other businesses surveyed. While that’s an important differentiator for them, they’ll need to do even more in a world of open banking, particularly when it comes to agreements governing their relationships with third parties to make sure they also have the right security measures in place. One way to do that is through enhanced certification processes to scrutinize a third party’s security protocols before a bank lets it onto its platforms or shares data with it. Periodic assessments of third parties’ security capabilities, along with close to real-time monitoring of them, will be essential in this new world. Organizations will also need to enhance their fraud management controls and cyber protections.

Driving adoption of open banking will require deep thinking about privacy and embedding it into the design at the outset.

While the security capabilities organizations will need to put in place aren’t new, the level of rigour and coverage will change as they embrace open banking, which is why it will be important for them to review their security architecture, especially for their external-facing applications.

APIs also aren’t new, but with open banking increasing the speed and volume of data sharing, organizations will need to have more controls in place to detect when fraudulent activity may be happening. For example, a sudden increase in the volume of activity is something they’ll need to immediately detect and act upon.

Evolving areas, such as customer identity and access management, help organizations understand customer behaviour and patterns and immediately detect anomalies as they occur. The progress Canada has made through efforts like the Digital ID & Authentication Council of Canada (DIACC) goes a long way in planning for changes like open banking. DIACC recently released a Pan-Canadian Trust Framework, which forms the basis for Canada’s full and secure participation in the evolving digital economy. The framework focuses on reliable, secure, scalable, privacy-enhancing and convenient solutions for digital identity.

As noted, driving adoption of open banking will require deep thinking about privacy and embedding it into the design at the outset. Key to that is giving customers more transparency and control over how, when and with whom their personal information will be used and shared.

But that information needs to be clear and easy to understand for customers, and their consent preferences must be enforced. That’s hard enough to do within an organization, let alone when many players are involved.

It’s also important to establish a strong data stewardship model to provide for accountability for privacy across the ecosystem, including making sure the use of data is legal, fair and ethical.

And since, in this environment, a system is only as strong as its weakest link, it’s important to work out what an appropriate privacy assurance model would look like to give stakeholders comfort over who’s plugging into the open banking and data-sharing ecosystem. The government may also need to invest in developing privacy materials and information, like policies and training, and make them available to FinTechs as they may not have the same level of resources to devote to the issue as the bigger players.