Building trust in the financial digital ecosystem

Open Banking and the drive towards risk-based digital identity and authentication

Open Banking sets new standards and expectations for banks. Customers expect the convenience of mobile banking and the ability to access their financial data across multiple apps without being exposed to fraud. As such, exciting new services and partnerships are possible through Open Banking, but this innovation also introduces security challenges. More precisely, sharing financial data with third parties exposes new attack vectors for cybercriminals. The more data are exposed and shared, the more they are at risk. It is crucial for banks to strengthen the security and trust of customers as we move into the era of Open Banking.

For banks, there are both clear benefits and challenges. Among the benefits is the potential for Open Banking to encourage innovation and competition, with the promise of increased efficiency between banks and other payment institutions. Challenges include the work needed to meet key requirements of Open Banking: Strong Customer Authentication (SCA) to ensure that users are known and have given consent, data exchange enabling entities to talk to one another via application programming interfaces (APIs), and the definition of new TPPs (Third Party Providers). Banks are further challenged to ensure that the customer experience is frictionless, and to deal with issues of cross-border and regional interoperability. 

Strong customer authentication is especially important and must be the central element in the Open Banking API ecosystem. It must be a priority both for banks, which already understand that sensitive data requires high security and protection, as well as for TPPs, which are only at the beginning of their learning curve.

Trust as a foundation

Banking has always been about trust, and more predominantly about physical trust. Customers trusted banks to provide physical protection for their gold, cash, or other valuables in vaults. Now, banking is shifting to digital trust. Banks promise customers that they can protect financial data from criminals, while also making it available to legitimate third parties for digital services.

Open Banking’s foundation of trust is possible through authentication. Trust is created when it is proven that all parties accessing data are who they say they are and performing the actions they claim to be performing.

Machine learning and AI (artificial intelligence) can enable banks to collect and analyse data so they can make smarter real-time decisions about the next action to take when a threat is detected, including whether to approve, block, or reject a transaction. Adaptive authentication processes will enable them to define security levels based on existing risk.

As these technologies are brought to the Open Banking API ecosystem, we will also see financial transactions based on connected devices. Within this ecosystem, the use of static multi-factor authentication methods will decrease, and we will see a migration to continuous data analysis that improves risk-mitigation decision-making and creates a more secure transaction environment.

Traditional authentication meets modern fraud detection

Until recently, strong authentication was mostly performed through the generation of one-time passwords sent to a user’s device. This process was sped up with the introduction of biometric authentication using fingerprints and face recognition. But strong authentication is of little value on a device that is compromised or over a communication channel that is unsecured. As cybercriminals exploit security flaws in mobile devices and on Wi-Fi networks, banks need to deploy proactive defences. True authentication requires protecting the full environment in which a transaction occurs.

Data intelligence for advanced authentication and threat detection

In order to provide the necessary level of trust and security, banks must go beyond traditional authentication practices and use risk-based authentication. It is no longer enough to just authenticate a user. The user’s browser, device, application, session, and transaction must be protected to prevent malicious uses of data. Risk-based authentication, powered by AI and machine learning, determines the proper level of authentication for any transaction with minimal impact on user experience.

Intelligent, data-driven authentication monitors hundreds of parameters in real-time to offer superior security and an elevated user experience. Machine learning models continuously analyse the financial data environment to detect known threats and spot anomalies that signal new cyberthreats.

The use of real-time risk profiling technology will enable organisations to enhance the protection of their most valuable assets. Capabilities such as evidence-based threat detection, anomaly detection, and behavioural biometrics will help financial institutions to stop cybercriminals and help thwart new methods of fraud.

Open Banking is here, and in order to thrive in this new financial ecosystem, banks must create trust. Risk-based authentication is both a responsibility and an opportunity for banks to build trust with their customers by employing the most powerful means of protecting data from fraud.

The editorial was first published in the Open Banking Report 2019, which offers insightful editorials, interviews and expert analyses that paint an exhaustive picture of the Open Banking regulatory shifts and the important extents in which this impact the industry.

About Olivier Thirion de Briel

Olivier Thirion de Briel is Global Solution Marketing Director for financial services at HID Global. In this role, Olivier leads the banking strategy and product marketing for the IAM solutions business unit.

About HID Global 

HID Global provides trusted identity authentication and lifecycle management for people, places, and things. Our modern approach to authentication incorporates an adaptive, risk-based methodology, providing frictionless and continuous experience. Organisations can protect digital identities and accurately assess cyber-risk, by delivering trusted transactions and empower smart decision-making, while going beyond just simple compliance.