BankThink Open banking is inevitable. Let’s rethink data security, too

By Kevin Paul Murphy for American Banker

The move to the digital marketplace is no longer aspirational but inevitable for the modern financial enterprise. It is now more accurate to describe a bank as a technology company. But the change in identity means banks must adjust the way they ensure the security of their enterprise.

The regulators in the U.K. and Europe provide the best indication of the future banking landscape. The U.K.’s Competition Market Authority and the European Banking Authority have been at the forefront of leading banks into the era of open banking. The European Union’s PSD2 (the revised Payment Service Directive) is the most prominent policy move encouraging open banking, with a compliance date of January 2018. Similar moves are expected by the regulators in the United States and Asia.

The objective of open banking is to increase the level of choice available to customers and to drive competition through the use of application programming interfaces — technology that lets third parties access customer transactional data that has traditionally been secured by a bank.

The opportunities for the customer are endless based on their payment history alone — for example, notifications of cheaper energy suppliers, mortgages and groceries could all occur. The opportunities for banks are less well defined but still real. The immediate challenge is to develop app-based services that can make the most of this environment. This will inevitably involve banks working with third parties that wish to gain access to customer accounts. But for those banks that provide easy integration for third parties, it is clear they will attract more customers and new revenue models.

Success in open banking will be dictated by which banks maximize API integration with third parties. But this open approach to banking has its limits too.

Its maxims may not translate well to cybersecurity in an API environment where, by definition, there will be more points of entry for potential attackers. Legislation such as PSD2 has mandated third parties will have to meet certain operational and security requirements before being authorized to obtain data. While this affords some protection, it is also clear banks will need to reassess their own security posture before fully embracing open banking. Therefore, the top five security considerations for banks entering open banking include:

API governance: It is likely there will be a massive rush in API creation and collaboration with third parties. APIs are the same as any other technological asset; their continued use should be assessed periodically from a risk management perspective, identified with clear ownership information and subject to security reviews including penetration testing and vulnerability scanning so any weaknesses can be identified and remediated.

Protect information flows: With increased interaction between banks and third parties, open banking will increase the complexity of data flows in and out of the enterprise. Data owners should understand the information life cycle and ensure sensitive information is encrypted in transmission and when stored.

Patching: As APIs become integral to the digital marketplace, hackers will increasingly target these applications for disruption, theft of credentials and financial gain. As was seen by the recent Wannacry cyberattack that affected organizations globally, attack vectors often exploit known vulnerabilities; in this case, a weakness in the Microsoft Office system. Due to the complexity of modern banking, it is not possible to apply every software update (patch) as this would place an overwhelming burden on resources. Banks should, however, have a well-defined patch management procedure that assesses risk and then categorizes patches based on the likelihood of exploitation (threat intelligence) and potential impact.

Security testing: As interfaces into a bank’s internal systems increase, greater scrutiny should be placed on both the end point and internal network. Red-teaming penetration testing — where the simulated attacker uses the same tactics as a hacker in a controlled environment — will become a crucial control in ensuring both the perimeter and connection points with third parties remain secure.

Incident response: Preparation is the most effective component of response. Moving into the open banking environment, response teams should practice scenarios where a successful attack exposes vulnerable APIs and involves an authorized third party. This form of readiness will ensure breaches are contained and disruption to services is minimized.

The new world of open banking is upon us. In the rush to engage new business models, we must remember the core pillars of information security — confidentiality, integrity and availability — will remain the foundation of success.