Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Banking

NAGIVATING THE OPEN BANKING INITIATIVE AND PSD2

NAGIVATING THE OPEN BANKING INITIATIVE AND PSD2

By Barry O’Donohoe, RAiDiAM Consulting, written in conjunction with Ilex International

The upcoming Open Banking initiative has formed as a result of the Competition and Market Authority’s (CMA) latest effort to promote increased competition and consumer choice among banking service providers. In addition, the CMA intends to be more definitive in specifying the technological implementation of standards, expanding upon the European Banking Authority’s Payments Services Directive 2 (PSD2).The latest report by Identity and Access Management specialists Ilex International and RAiDiAM Consulting explores the impact of the upcoming Open Banking initiative on UK finance organisations.

These APIs will transform the existing relationship between banks and their customers and raise serious identity assurance and access management challenges. Third party providers will be able to deliver new and innovative financial and banking services that have the potential to radically disrupt the established relationships between customers and their existing bank(s) but also raise significant identity and access management challenges.

Providing a standard set of APIs will be challenging for many functional and technical reasons. Perhaps most challenging from a security perspective will be the replacement of bespoke application protection mechanisms, protocols and internal standards with a single modern Identity and Access Management (IAM) capability that can integrate with third parties. This technical refresh, in a very sensitive area of retail banking, must be delivered within very aggressive timelines imposed by the regulatory authorities.

What to look for in a vendor

The Open Banking Implementation Entity (OBIE) has decided that OAuth2 (RFC 6749) shall be the standard of choice for API security and identity federation. Security and API gateway products that adhere to these standards are available from numerous vendors, however, enhancements to the core and complementary standards are being proposed and ratified by technical governance bodies quite frequently.

Banks and other organisations in the financial services ecosystem should partner with vendors that are:

  1. Forward thinking
  2. Embrace open standards
  3. React quickly to threats
  4. Rapidly implement enhancements to their offerings

Organisations with these vendor partnerships will be best placed to ensure their API offering continually operates with the smallest threat surface possible and, as a result, will be well positioned to capitalise on new business opportunities that Open Banking services will bring.

The introduction of new identities in the form of third party digital actors necessitates a change in how banks manage access to, as well as ownership of digital resources. With traditional security perimeters being broken down, a new customer identity-centric approach to the delivery of technology services is required to ensure security postures remain within risk appetite. An identity-defined security model will best position banks for easier compliance with other identity and data governance regulations such as the forthcoming General Data Protection Regulation (GDPR). 

Open Banking in action

Open Banking API offerings are broadly categorized into three types of services: public information, account information services (AIS) and payment initiation services (PIS). The CMA’s high-level roadmap schedules the delivery of APIs in the order of their security or risk levels. APIs requiring no security to implement will be delivered first, starting with the delivery of financial product descriptions and ATM / branch locations by the end of Q1 2017. The aim is to have complete service offerings available by early next year:

  • Product information services – Public
  • Banking product details (fees, interest rates)
  • ATM and branch locations
  • Account information services – Secured
  • Account balance
  • Transaction history
  • Payment initiation services – Secured
  • The ability to make a payment or transfer on behalf of a banks end client

These services, secured using OAuth 2.0, introduce new identities with separate roles and responsibilities. The introduction of these new identities, services and third party access mandates has the potential to significantly increase the threat surface that customer’s digital assets are exposed to. In parallel, banks must contend with the conflicting customer demand for improved user experience, through reduced security friction, as well as ever higher customer and regulatory expectations for secure service delivery.

Achieving assurance in a headless world

These days, customers almost always interact exclusively with banking services via first party channels, whether mobile, telephony or Face2Face. Such channels require customers to perform an appropriate degree of identification and verification before services or information is provided.

Alternatively, with an API channel consumed by third parties, bank’s will need to address use cases where TPPs are performing operations on a customer’s behalf when the customer may not be present during the course of the transaction. Banks must adjust security postures to reflect the loss of control, quality assurance and variable degrees of app security that may be used by customers to access banking services.

Conclusion

Digital identity assurance is leading to a change in the industry. The coming swarm of digital financial asset management APIs will enable new and innovative services to be deployed at a pace previously unseen in the financial services industry. API delivered services have the potential to significantly increase the threat surface banks are exposed to and pose new challenges for identity assurance. Delivery of an API channel will require significant investment in IT Security and IAM infrastructure. It will also require the re-engineering of business processes to manage the numerous new identity classes and their authorisations.

To read the full paper, ‘Open Banking and PSD2: An Inflection Point for Digital Identity Assurance’, click here.

To find out more about Ilex International click here.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post