How to Nagivate the Open Banking Initiative and PSD2
The upcoming Open Banking initiative has formed as a result of the Competition and Market Authority’s (CMA) latest effort to promote increased competition and consumer choice among banking service providers. In addition, the CMA intends to be more definitive in specifying the technological implementation of standards, expanding upon the European Banking Authority’s Payments Services Directive 2 (PSD2).
These APIs will transform the existing relationship between banks and their customers and raise serious identity assurance and access management challenges. Third party providers will be able to deliver new and innovative financial and banking services that have the potential to radically disrupt the established relationships between customers and their existing bank(s) but also raise significant identity and access management challenges.
Providing a standard set of APIs will be challenging for many functional and technical reasons. Perhaps most challenging from a security perspective will be the replacement of bespoke application protection mechanisms, protocols and internal standards with a single modern Identity and Access Management (IAM) capability that can integrate with third parties. This technical refresh, in a very sensitive area of retail banking, must be delivered within very aggressive timelines imposed by the regulatory authorities.
Open Banking in action
Open Banking API offerings are broadly categorized into three services: Public information, account information services (AIS) and payment initiation services (PIS). The CMA’s high-level roadmap schedules the delivery of APIs in the order of their security or risk levels. APIs requiring no security to implement will be delivered first, starting with the delivery of financial product descriptions and ATM / branch locations by the end of Q1 2017. The aim is to have complete service offerings available by early next year:
- Product information services – Public
- Banking product details (fees, interest rates)
- ATM and branch locations
- Account information services – Secured
- Account balance
- Transaction history
- Payment initiation services – Secured
- The ability to make a payment or transfer on behalf of a banks end client
These services, if secured using OAuth 2.0, introduce new identities with separate roles and responsibilities. The introduction of these new identities, services and third party access mandates has the potential to significantly increase the threat surface that customer’s digital assets are exposed to. In parallel, banks must contend with the conflicting customer demand for improved user experience, through reduced security friction, as well as ever higher customer and regulatory expectations for secure service delivery.
Achieving assurance in a headless world
These days, customers almost always interact exclusively with banking services via first party channels, whether mobile, telephony or Face2Face. Such channels require customers to perform an appropriate degree of identification and verification before services or information is provided.
Alternatively, with an API channel consumed by third parties, bank’s will need to address use cases where TPPs are performing operations on a customer’s behalf when the customer may not be present during the course of the transaction. Banks must adjust security postures to reflect the loss of control, quality assurance and variable degrees of app security that may be used by customers to access banking services.
Digital identity assurance is leading to a change in the industry. The coming swarm of digital financial asset management APIs will enable new and innovative services to be deployed at a pace previously unseen in the financial services industry. API delivered services have the potential to significantly increase the threat surface banks are exposed to and pose new challenges for identity assurance. Delivery of an API channel will require significant investment in IT Security and IAM infrastructure. It will also require the re-engineering of business processes to manage the numerous new identity classes and their authorisations.
To read the full paper, ‘Open Banking and PSD2: An Inflection Point for Digital Identity Assurance’, click here.
To find out more about Ilex International click here.
To find out more about RAiDiAM Consulting click here.