This article was written by Barry O’Donohoe, co-founder and Senior Partner at RAiDiAM
The upcoming open banking initiative has formed as a result of the Competition and Market Authority’s (CMA) latest effort to promote increased competition and consumer choice among banking service providers.
In addition, the CMA intends to be more definitive in specifying the technological implementation of standards, expanding upon the European Banking Authority’s Payments Services Directive 2 (PSD2). These APIs will transform the existing relationship between banks and their customers and raise serious identity assurance and access management challenges.
Third party providers will be able to deliver new and innovative financial and banking services that have the potential to radically disrupt the established relationships between customers and their existing bank(s) but also raise significant identity and access management challenges.
Providing a standard set of APIs will be challenging for many functional and technical reasons. Perhaps most challenging from a security perspective will be the replacement of bespoke application protection mechanisms, protocols and internal standards with a single modern Identity and Access Management (IAM) capability that can integrate with third parties. This technical refresh, in a very sensitive area of retail banking, must be delivered within very aggressive timelines imposed by the regulatory authorities.
What to look for in a vendor
The Open Banking Implementation Entity (OBIE) has decided that OAuth2 (RFC 6749) shall be the standard of choice for API security and identity federation. Security and API gateway products that adhere to these standards are available from numerous vendors, however, enhancements to the core and complementary standards are being proposed and ratified by technical governance bodies quite frequently.
Banks and other organizations in the financial services ecosystem should partner with vendors that are:
- Forward thinking
- Embrace open standards
- React quickly to threats
- Rapidly implement enhancements to their offerings
Organisations with these vendor partnerships will be best placed to ensure their API offering continually operates with the smallest threat surface possible and, as a result, will be well positioned to capitalize on new business opportunities that open banking services will bring.
The introduction of new identities in the form of third party digital actors necessitates a change in how banks manage access to, as well as ownership of digital resources. With traditional security perimeters being broken down, a new customer identity-centric approach to the delivery of technology services is required to ensure security postures remain within risk appetite. An identity-defined security model will best position banks for easier compliance with other identity and data governance regulations such as the forthcoming General Data Protection Regulation (GDPR).
Open banking in action
Open Banking API offerings are broadly categorized into three types of services: public information, account information services (AIS) and payment initiation services (PIS). The CMA’s high-level roadmap schedules the delivery of APIs in the order of their security or risk levels. APIs requiring no security to implement will be delivered first, starting with the delivery of financial product descriptions and ATM / branch locations by the end of Q1 2017. The aim is to have complete service offerings available by early next year:
- Product information services – public
- Banking product details (fees, interest rates)
- ATM and branch locations
- Account information services – secured
- Account balance
- Transaction history
- Payment initiation services – secured
- The ability to make a payment or transfer on behalf of a banks end client
These services, secured using OAuth 2.0, introduce new identities with separate roles and responsibilities. The introduction of these new identities, services and third party access mandates has the potential to significantly increase the threat surface that customer’s digital assets are exposed to. In parallel, banks must contend with the conflicting customer demand for improved user experience, through reduced security friction, as well as ever-higher customer and regulatory expectations for secure service delivery.
Achieving assurance in a headless world
These days, customers almost always interact exclusively with banking services via first party channels, whether mobile, telephony or Face2Face. Such channels require customers to perform an appropriate degree of identification and verification before services or information is provided.
Alternatively, with an API channel consumed by third parties, banks will need to address use cases where TPPs are performing operations on a customer’s behalf when the customer may not be present during the course of the transaction. Banks must adjust security postures to reflect the loss of control, quality assurance and variable degrees of app security that may be used by customers to access banking services.
Digital identity assurance is leading to a change in the industry. The coming swarm of digital financial asset management APIs will enable new and innovative services to be deployed at a pace previously unseen in the financial services industry. API delivered services have the potential to significantly increase the threat surface banks are exposed to and pose new challenges for identity assurance.
Delivery of an API channel will require significant investment in IT Security and IAM infrastructure. It will also require the re-engineering of business processes to manage the numerous new identity classes and their authorisations.