Open Banking Security

Open Data is Key to Shaping the Future of Hyper-Personalised Banking

Despite presenting tremendous opportunities to improve customer experience and drive accessibility to financial services, innovations around open APIs and open banking also increase interconnectedness and the attack surface, introducing new cyber risks which stakeholders must address by rethinking their approach to network security and focus on the broader ecosystem, experts said during a panel discussion.

During a virtual panel hosted by banking software provider Temenos on August 17, 2022, top executives representing Standard Chartered’s banking-as-a-service (BaaS) brand nexus, incumbent bank HSBC and digital banking group Tyme Group, delved into the state of open banking adoption, as well as the opportunities and challenges brought about data sharing.

The global trend toward open banking is increasing interconnectivity among banks and third parties, creating more points of weakness and vulnerability in banks’ network security.

Aldrich Goh

“With open banking, there is more interconnectivity between different players in the market… a lot of dependency on the external parties, … more interconnectivity and it provides new avenues for bad guys to launch attacks on,”

said Aldrich Goh, Chief Information Security Officer, Standard Chartered’s nexus.

“Whether the data is held at the bank or passed over to the fintechs, it has to be secure end-of-end for people to trust individual organizations as well as the industry as the whole. Because it just takes one player to breach and people will start to question and grow concerned.”

Designed to spur innovation and increase competition, open banking relies on the use of application programming interfaces (APIs) to establish a connection between third-party providers and users’ bank accounts, allowing for consumer banking, transaction, and other financial data to be gathered.

Use cases of open banking are multiple. In personal finance, it includes account aggregation where all of a customer’s accounts could be brought to one place for users to have a consolidated view of their income, expenses, loans, and investments.

In lending, open banking and data sharing can remove the need to rely on credit history when considering applications, providing instead lenders with instant access to customer’s financial data from other providers and allowing them to present an answer to a loan application in just a few minutes.

Open banking is fast becoming a strategic priority for financial institutions and organizations must have proper API security strategies in place, Aldrich said. Data sharing and open APIs are making perimeters porous and introducing systemic risks.

“It’s important for organizations to have API security strategies to govern the APIs, all your assets, ensure that the code is secure, etc,” he said.

“And there needs to be consideration for supply chain security as well: the partners you work with, whether they have the necessary controls that you expect of them, as well as the open source software you use. We cannot rely on preventive controls, but we also need to have proper detective controls.”

Towards open data

Since the UK and the European Union (EU) pioneered open banking, mandating banks to develop APIs for third-party providers to use, the trend has spread across the world and has started shaking up the traditional financial services industry.

According to Frankie Wai, Business Solution Director Asia Pacific (APAC), Temenos, at least 50 countries worldwide are on the path to open banking, with two main strategies emerging: the regulatory-driven approach and the market-driven approach. A few jurisdictions, including India and Singapore, have embraced a hybrid approach that combines both guidelines but no compulsory open banking regimes.

Open banking around the world, Source: Temenos

Australia stands out from the crowd, Frankie said, noting that the country has gone a step further and set the foundations for open data.

Frankie Wai, Business Solution Director Asia Pacific (APAC), Temenos

“In a similar way to the UK, the Australian Prudential Regulation Authority (APRA) mandated open banking regulation for banks,”

Frankie said.

“In parallel, the Consumer Data Right is being implemented in an open data economy where citizens and financial institutions and companies in other sectors like energy or telecommunications can share their data with third parties.”

Echoing Frankie, Alvin Lim, Head of Open Banking Engagement for Wealth and Personal Banking, HSBC, said open banking will ultimately move to open data in its latest stage. Regulators around the world are already looking at open finance, including those in the Philippines and the EU.

Alvin Lim

“Australia is hitting the right note with open data,” Alvin said.

“What that means is bringing all the data that’s important for cross industries to come together. At the end of the day, we are talking about addressing customers’ needs.

We are no longer talking about campaign offers based on a segment approach, but right now it’s based on your individual profile, your lifestyle – a product that is suitable for you.”

In developing markets like the Philippines, Indonesia and South Africa, open banking holds great potential to improve financial inclusion, said Nate Clarke, President and CEO, GoTyme Bank and Founding Member, Tyme Group.

Data sharing can help create value for low-income and financially excluded customers by improving access and conditions of access to credit, as well as by facilitating access to accounts and financial products.

Although new technologies and fintech products, like e-wallets, have already substantially helped bring basic banking products to the unbanked, there’s still a long way to go.

Nate Clark

“As an industry, we’ve done pretty well on banking and e-wallet penetration over the past decade,” Nate said. “What we haven’t moved the needle is on credit, adoption of investment, adoption of insurance.”

Regulators need to step in to both encourage incumbents to open up their data, but also push the large tech players to make their own data available as well.

“I would like to see regulators do more,” Nate said.

“The reality is that there’s a lot of disincentives for large incumbents to participate. The banks see their large datasets as an asset even though customers tend to think that they own their data.

[On the other end spectrum,] open banking shouldn’t just include banks [either] because there’s much higher adoption, in the Philippines for example, of the GCash and the e-wallets. There’s actually really good data there. We also need to look beyond banking. E-commerce is really rich in these markets. These bigtech companies have a lot of data.”