Detecting and responding to threats in Open Banking – what are the solutions?

What are the fraud and security implications of Open Banking, in terms of customer data storage?

PSD2 and open banking requirements aim at enhancing transparency, innovation and competition throughout the EU’s financial services industry. It empowers customers to take control of who can use their data and advise on financial alternatives that offer more competitive services. This includes regulating third party aggregators to access customers’ account information, in a similar manner to how credit bureaus and bank reports store information about people’s credit files, credit histories and delinquencies.

As part of Open Banking the banks are required to offer third-party providers (TPPs) access to accounts via APIs, under the condition of customer consent. With the end consumer’s permission, TPPs can access a bank statement for an agreed time-period, for instance, to look at how that person is managing their money or recommend a new financial product. How will customer data be used in making the assessment, and perhaps most importantly – what happens to the data after that? The customer might understand the access that they have given to their primary data – but will also need to clearly understand the way it is going to be used, and potentially shared. Taking control of your own data might lead to higher proliferation of that data than it does today. There is a lot of power in this information – the stored data about the consumers’ behavioural habits, and all their transactions both digital and physical will now be visible to TPPs.

Some banks have already started developing their own aggregation products to supplement the existing TPPs. The implications in terms of the types data and data storage needs to be well thought out in order to avoid further breaches and GDPR questions.

What is the impact of the Open Banking regulations on screen scrapers and banking aggregators?

At ThreatMetrix, we work with some UK banks and we see that a high percentage of their traffic is based on screen-scrapers who act as aggregators today. These screen-scrapers never do anything but log into an account, check a consumer’s balance and then return it back to their host systems. This allows the customer a holist view of all their bank accounts in one place. The UK banks have also started in a more limited capacity allowing payments via online banking, this will further pick up pace in 2019.

Banks have previously allowed screen scrapers to operate because they know there isn’t a threat and it is a service. We are now moving into a regulated environment, where the same parties and new entrants will be able to create more functional applications based on APIs.

What about the risks and challenges Open Banking is going to pose to financial institutions?

For Open Banking consent, authentication, and authorisation, UK banks generally have followed the redirection model. Therefore, for authentication and authorisation, the customer is redirected from the TPP’s domain, to the bank’s domain allowing the maintenance of high security standards and relying on direct customer consent before the customer shares data. Redirection screens will be presented between the consent and the authentication steps, and, after the authorisation step, the customer is redirected back to the TPP’s domain.

However, while Open Banking is designed to enhance the customer experience and choice, it could also increase the risk of specific kinds of fraud, including account takeover via stolen credentials, malware targeting or API hacking. For example, if the fraudster has access to the customer security credentials, they might be able to re-use them across all accounts via a single TPP interface. Another example could be a Man-in-the-Browser manipulating the TPP journey after consent to initiate unwarranted payments or return data the customer never intended to share.

Banks must ensure the same level of security across all access points including the Open Banking environment, with the additional check around consent. They also must focus on risk control and put more emphasis on active risk management and monitoring; they can no longer rely on the behaviours of a direct customer and must now manage multiple interactive profiles.

To fight these negative activities, ThreatMetrix has developed the ThreatMetrix Digital Identity Network, which analyses millions of transactions in real time across billions of devices. The latest data, as revealed in the Q2 ThreatMetrix Cybercrime Report highlights in the first half of 2018, financial institutions were hit with 81 million cyberattacks on the ThreatMetrix global network.

The ThreatMetrix solution for Open Banking supports organisations, maintaining authentication and customer validation processes whilst enhancing the customer experience by piecing together the true digital identities of users already known to the banks via their regular online banking account. What is more, the solution allows companies to evaluate real-time risk factors in the context of past user behaviours to make accurate risk decisions – to accept, reject, or review (step up) a transaction as necessary.

What are the solutions available for banks in order to build a framework for identifying and responding to threats in Open Banking?

Strong Customer Authentication (SCA) plays an important role in creating a framework for identifying, detecting, protecting, and responding to threats in Open Banking. ThreatMetrix offers SCA solutions that focus on minimal user intervention, such as persistent authentication through device binding using cryptographic keys. This works hand-in-hand with Risk Based Authentication to support the banks in maintaining the optimal user experience as they define, within a new regulated environment, how and when to use step-up authentication.

For more information on ThreatMetrix solutions for the banking and finance sector visit – https://www.threatmetrix.com/ cyber-security-solutions/banking-and-brokerage

This editorial was first published in our Open Banking Report 2018. The Open Banking Report 2018 focuses on topics, such as building trust, gaining consent and improving customer experience in Open Banking.

About Mike Nathan

Mike Nathan has nearly 15 years of experience in the risk and fraud space, with key interests in online banking fraud, application fraud, internal fraud and card fraud. Mike started as a credit analyst at Lehman Brothers, before moving to Lloyds Banking Group as a Fraud Manager, where he led large teams of analysts and data scientists. He was a consultant at SAS, the analytics company, and a Vice President at Barclaycard, looking at Credit Card Fraud. At ThreatMetrix, as Senior Director, Solutions Consulting EMEA Mike advises many of the world’s largest banks and holds an MSc in Information Management & Finance from Westminster Business School in the UK.

About ThreatMetrix

ThreatMetrix, A LexisNexis Risk Solutions Company, empowers the global economy to grow profitably and securely without compromise. With deep insight into 1.4 billion anonymized digital identities, ThreatMetrix ID delivers the intelligence behind 110 million daily authentication and trust decisions to differentiate legitimate customers from fraudsters in real time.