By Nathanael Coffing, Co-Founder & CSO of Cloudentity
Open Banking is dramatically changing the way financial institutions, investment companies and fintech organizations transact in the digital economy. The market is rapidly growing, with the industry expected to reach $43.15 billion by 2026. Open Banking puts the ownership of financial data back in the users’ hands to ensure that data can only be used with their permission and for their benefit.
As the saying goes, with great power comes great responsibility. Open Banking is the most powerful instantiation of digital transformation in the marketplace, requiring the exchange of sensitive personally identifiable information (PII), financial information and transactional data. If this shared data is not properly secured by financial grade security and or enabled without customer consent, then trust in the Open Banking system will crumble.
Regulations designed to protect this sensitive data and integrate customer consent have begun to emerge in different parts of the world, based primarily on the first instance in the UK and then spreading to countries like Brazil, India, and Australia. While the regulations slightly by region, they all use the FAPI (Financial Grade API) specification as the foundation for transactional security and then add fine-grained consent into the customer experience. Even with the emergence of regional standards, there is no global adoption or standard for Open Banking yet, making it difficult for banks to address multiple regions or what interoperability is required if no regional standard is present
Trust is Paramount for Open Banking
When people or businesses share their financial details, they want it done in a secure fashion and with fine-grained control of what they are sharing, for how long and even the purpose for sharing data. The opportunity for theft, fraud or unwanted exposure carries serious consequences and fines for data leakage and/or misuse of PII data.
Open Banking relies entirely on APIs to share data and then adds well-defined standards to provide the highest levels of API security (mTLS, certificate bound access tokens, transactional authorization). In addition, the user experience for managing their own data is well defined and mandates the usage of fine-grained consent, ensuring that only the data the consumer chooses to share with 3rd parties is shared and is authorized for only the usage and duration they enable.
Trust is the foundation of the Open Banking system, and any company that wants to participate must prove conformance to the FAPI security, consent and API requirements. To maintain that trust, all participants in an Open Banking transaction like financial Institutions are held to high security standards for fine-grained consent and FAPI at each step of the transaction.
Any security leak no matter how minor undermines trust in the system. That means if an Open Banking member, governing body or data recipient is negligent in their security or treatment of users’ data, they risk unwinding the trust across the entire ecosystem. Regulations, certification and regular testing help ensure minimum standards are met to protect data and uphold trust within Open Banking ecosystems.
Open Banking Regulations
For Open Banking to be adopted more widely across the world, a global set of standards needs to be ratified. Banking is a global system, and we are seeing requirements from multi-national banks that need to support multiple regional regulations and cross-region transactions. Currently, the FAPI security standard is the closest thing we have to a global standard but there are major variations in what portions of FAPI are required, different versions of FAPI and inconsistencies in how consent is treated between different regional markets. The lack of a global standard will continue to create additional complexities in architecture, certification and operations for financial institutions that operate around the world
A unified, global standard for accessing, transferring and storing open banking data will set clear parameters to ensure user data is protected. Regulations help to ensure security and reduce the risk of bad actors manipulating the system for selfish or criminal interests. What regulators also realize is that if users do not trust that the system is secure and that suppliers will responsibly use data then people simply will not use the system.
Securing Open Banking
Regardless of regional regulations, there is a need for open standards that provide a baseline for how PII and financial data is treated. Financial institutions are tasked with modernizing legacy platforms into API-centric services and safeguarding high-value data, making it critical to have secure open standards to ensure robust security, data governance and consent management capabilities are inherent in the system that leverage and protect customer data.
With the complexities present in regional regulatory requirements, financial organizations operating globally must leverage tools that support virtually all regulations with a single platform that facilitates data between regions where Open Banking regulations exist or where they aren’t yet adopted.
Financial organizations need tools both for enabling Open Banking in their businesses and for supporting compatibility and compliance with Open Banking standards. The use of the proper technology ensures organizations comply with Open Banking standards, while ensuring the privacy of their users’ data.
The benefits of Open Banking are far-reaching and multifaceted. From easier access and innovation to new opportunities for financial technology companies and startups, this revolution will have endless possibilities. For Open Banking to continue its growth model, it’s time for global agreements that enhance and extend the regional groundwork that’s been laid. Privacy, security, consent and data ownership are global rights and must be treated as such.