Open Banking, Data Protection Laws Bring in New Challenges for Digital Banks and Incumbents

Open Banking, Data Protection Laws Bring in New Challenges for Digital Banks and Incumbents

by September 28, 2020

Open banking, one of the hottest topics in financial services today, is bringing in new challenges and risks that both traditional financial institutions and fintech companies must address swiftly, said Frederik Mennes, director of product security at cybersecurity firm OneSpan.

In a recent conversation with Finextra, Mennes identified three major security risks brought in by open banking that incumbents and digital banks alike must tackle.

The first risk, Mennes said, relates to the fact that open banking requires financial institutions to open up their IT systems and share data with third-party providers (TPPs).

Frederik Mennes

Frederik Mennes

“It’s very important that only licensed, authorized and therefore trustworthy TPPs can obtain data from financial institutions,”

he said.

“If an unauthorized, perhaps malicious, TPP would be authorized to obtain financial data from a bank, that would have an enormous impact on the confidentiality, as well as the integrity of the financial data, which could ultimately have a negative impact on the reputation of the financial institution.”

The second risk, Mennes said, relates to users of applications provided by TPPs. “It’s very important that these users are properly authenticated when they try to access a bank account held by a financial institution,” he said. “We don’t want to see a situation whereby a user of a TPP application can obtain an authorized access to a bank account that is perhaps under the control of someone else.”

Finally, the third security risk is that, ultimately, open banking will be making TPPs part of the security perimeter of financial institutions’ IT infrastructure, posing systemic cyber risks across organizations and third parties.

“In a certain sense, the IT infrastructure of the bank is now going to contain the IT infrastructure of the various TPPs,” Mennes said. “When a TPP is compromised, it could also have a negative impact on the bank.”

A rapidly evolving regulatory landscape

To address these emerging security risks, regulators around the world have introduced new rules. Several regimes, for example, require TPPs to digitally sign all the requests that they send to open banking interfaces, so that only authorized, trustworthy TPPs can gain access to financial data from banks.

In Europe, the revised Payment Services Directive (PSD2) requests financial institutions to authenticate users of TPP applications when they want to access their bank accounts. The regulation also dictates how authentication must be performed, setting, for example, requirements on two-factor authentication and transaction authentication based on dynamic linking, and further requires transaction risks analysis to spot fraudulent access attempts and fraudulent.

PSD2 also pays attention to the security of the infrastructure of TPPs, and set requirements relating to creating security policies, proper network security control, performing penetration tests to proactively detect vulnerabilities, and more.

Jurisdictions like the UK, Hong Kong, Australia and the European Union (EU) have adopted a regulatory-driven approach to open banking, introducing a legal framework and setting out rules to enable the safe, mainstream adoption of open banking.

According to Mennes, Australia stands out from the crowd for having the most ambitious and innovative approach to open banking.

“Australia is actually moving beyond open banking and proposing an open data economy whereby citizens cannot only request financial institutions to share their date with TPPs, but also other companies like energy providers, telcos, etc.,”

Mennes said.

“I believe that overtime we will see a similar approach in other parts of the world.”

Open banking initiatives and regimes aren’t the only regulatory changes financial institutions and fintech companies must deal with. In Asia, new regulation revolving around digital banking is presenting fintech companies with an array a new requirements to comply with, and around the world, jurisdictions are enacting data privacy and data protection laws.

In November 2019, the Financial Action Task Force, which comprises 39 countries representing major financial centers across the globe, issued a draft guidance on digital identity, detailing the best way to apply customer due diligence to digital account opening processes using digital identity verification. The guidance is expected to come into effect later this year.

Challenger banks continue to gain ground

Challenger banks continued to gain ground in 2019, sparking substantial investor interest and raising a record of US$5.3 billion in equity funding. Momentum persisted in H2’20, with digital banks such as UK-based Monzo, Germany’s N26, Brazil’s NuBank and US-based Varo, raising mega rounds, according to CB Insights’ State of Fintech Q2 2020 report.

Europe, the pioneer in open banking regulations, remains the hub of digital banking, having given rise to the first wave of challenger banks, including N26 and UK-based Revolut, which currently stand as the third and fifth most valuable challenger banks in the world with valuations of US$5.5 billion and US$3.5 billion, respectively, according to a CB Insights analysis.

Out of the world’s top ten most valuable challenger banks, four are from Europe, three are from the US, and two are from Latin America, including NuBank, currently the most valuable digital bank in the world at US$10 billion, and Uala, from Argentina with a valuation of US$950 million.

10 Most Valuable Challenger Banks, CB Insights, August 2020

10 Most Valuable Challenger Banks, CB Insights, August 2020

New generation of challenger banks

But a new generation of challenger banks is emerging, and these are taking a radically different approach to that of early pioneers.

“The new players want to grow to make money, not conquer the world,” Jeroen De Bel, partner at Fincog, a consultancy that manages a database of neobanks, told Sifted. “You see more and more of the newer apps learning from [the mistakes of] the UK players, ensuring the path to profitability is there early on … It’s all about sustainability.”

These newer players aren’t going after the mass market but rather focus on getting a core proposition, De Bel said.

For example, in Germany, Tomorrow recently launched a neobank for consumers focused on protecting the climate. Tomorrow offers an ethical current account and sustainability-focused add-ons, and claims 40,000 active users.

Another new player from Germany is 220, a private members bank for entrepreneurs, influencers and investors. In addition to banking services, 220 also provides its customers with private events and perks like exclusive discounts and limited experiences.

In the UK, Kroo, formerly known as B-Social, offers a “social finance” app with an accompanying debit MasterCard. Kroo enables users to make purchases, as well as share and keep track of expenses with friends and family.

Longevity Card is an upcoming challenger bank from the UK that focuses on helping customers have a healthy lifestyle, in addition to providing mobile banking services. Longevity Card will come with an artificial intelligence (AI)-powered healthtech solution that will analyze daily activity, nutrition, and many other parameters to offer customers personalized health tips and reward them for maintaining a healthy lifestyle.

A recent addition to this ever-growing list is Jefa, a startup targeting women in Latin America. The company is building a product that focuses on solving the problems that women face when opening a bank account and managing. It plans to launch in a few months, starting with Costa Rica and Guatemala.

Data from Fincog shows that there are currently more than 250 independent neobanks across the world for a combined customer base of over 350 million.

Traction of Neo Banks, Fincog, August 2020

Traction of Neo Banks, Fincog, August 2020

Unsurprisingly, penetration is highest in emerging markets, including China (93%), India (50%) and Brazil (32%), which top the chart. These are followed by the Netherlands, Germany, the UK and Spain with rates that range between 2% and 4%.

Digital banking in Southeast Asia

With 22 million people joining the “mobile age” every year, Southeast Asia is rapidly emerging as the new battleground for challenger banks. European fintech scaleups including Revolut and TransferWise have already expanded into the region, but with regulators in countries including Singapore and Malaysia issuing new rules on digital banking, these will have to compete against a whole new generation of homegrown neobanks.

In June last year, the Monetary Authority of Singapore (MAS) announced that it would issue two digital full bank licenses and three digital wholesale bank licenses in a bid to spur innovation. The digital banking licenses are expected to be granted by the end of 2020.

Malaysia released its virtual banking licensing framework in December 2019 and is expected to begin accepting applications later this year. Meanwhile, Thailand is reportedly studying the possibility of licenses for digital banks.

Penetration of Neo Banks, Fincog, August 2020

The forthcoming entrance of digital-first, challenger banks in Southeast Asia is expected to shake up the region’s banking industry which remains dominated by incumbents with outdated products and services that fail to meet the needs and expectations of a younger, hyper-connected generation.

But according to Myles Bertrand, managing director of APAC at Mambu, a software-as-a-service (SaaS) banking platform, the introduction of these new licenses is intended to fill up a gap rather than increase competition, although increased competition will most likely be a side effect.

“The ‘gap’ in this scenario is the approximate 73% of people living in Southeast Asia who don’t currently have a bank account – it’s a sizeable market, and one which should encourage plenty of new players,” Bertrand told Vulcan Post.

Despite being one of the largest and fastest-growing regions in the world, Southeast Asia is also home to a large pool of unbanked and underbanked population. Banking penetration across countries in Southeast Asia stands at around 50% on average, compared with the 95% banking penetration rate in the US and UK.

According to Bain and Company, more than 7 out of 10 adults in Southeast Asia are either underbanked, with no access to credit cards or no long-term savings product, or unbanked and without access to a basic bank account. In addition, millions of Southeast Asia’s small and midsize enterprises (SMEs) face large funding gaps.

Financial services penetration in Southeast Asia compared with other regions, Bain and Company, October 2019

Financial services penetration in Southeast Asia compared with other regions, Bain and Company, October 2019


Featured image credit:Infographic vector created by fullvector –