By Jay Floyd, Senior Principal Financial Crime Consultant at ACI Worldwide

Criminals will always find new ways to make money. Whether they defraud their victims through authorised push payment (APP) fraud and phishing attacks, or target vulnerable people job hunting during the pandemic, they are, sadly, the original opportunists.

Instances of fraud typically skyrocket in times of crisis. And having learned this the hard way during the financial crash of ‘08, the banks and financial institutions were ready for the uptick in attacks against merchants and APP fraud. And had proactively put a number of robust measures in action to protect businesses and consumers.

With further lockdowns and restrictions already in place across the world, and Open Banking set to only grow in adoption  in the coming years, fraudsters are already hard at work, looking for new ways to make money. Indeed, their next targets have already been chosen – Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).

Combatting the fraud of tomorrow

PISPs and AISPs play a fundamental role in the payments ecosystem. They are the providers that maintain and build the digital infrastructure that allows for the smooth and secure movement of data and payments throughout the vast ecosystem.

Since the advent of Open Banking in 2018 as part of PSD2, the role of these service providers has become even more essential. PISPs are authorised to initiate payments in and out of accounts, and AISPs are authorised to retrieve account data provided by financial institutions.

Banks are often asked by legitimate AISPs for  access to their customers’ data in bulk via API. But there’s an ever-growing risk that fraudsters posing as AISPs will bombard banks, much like doxing, to gain access to this sensitive data.

Threat actors that engage in this method of fraud are often unsuccessful as the customer has a high degree of protection. AISPs and PISPs are required to explain  what data will be accessed, the duration of time they will have access to it, and who the data will be shared with. And end customers have to approve or deny each request for access. However, banks don’t have an equal level of protection. And, without knowing it, they could be opening their critical back end infrastructure to fake AISPs, and other cyber risks.

Working with QTSPs to protect banks and customers

UK-based PISPs and AISPs are required to undergo a rigorous application process with the FCA to become regulated. And although some Opening Banking providers are regulated as both PISPs and AISPs, most are regulated as one or the other. However, with the number of fraud cases on the rise, banks need to develop a thorough  process of screening PISPs and AISPs to protect themselves against criminals  that are only masquerading as providers.

It is important to note that any AISP or PISP can lose their regulatory certification. But banks need to remain vigilant, as AISPs and PISPs can still request access to sensitive information even after losing their certification. Putting both banks and end customers at risk of being defrauded. To mitigate this risk, banks must work closely  with Qualified Trust Service Providers (QTSPs).

QTSPs are the digital certificate issuers for AISPs and PISPs, and are themselves regulated under the eIDAS directive. But QTSPs still remain invisible in the financial community, working behind the scenes, despite having been around since early 2019.

To prevent themselves from falling victims to fraud, banks must work more closely with QTSPs to verify the identity of individuals and corporate bodies attempting to access account information via API. This, in itself, will mitigate the risk of fraudulent AISPs and PISPs and also enable banks to meet a number of their other security requirements.

Fraudsters are opportunists and will always be on the lookout for new ways to make money illegally. And while banks already have numerous fraud prevention measures in place following  the last financial crash, they must remain forward-looking to protect customers and themselves from the financial crime of tomorrow. Through aligning much more closely with QTSPs, banks can put themselves in the best position to defend against fraudulent AISPs and PISPs. And ultimately protect customers and themselves from fraud.