Financial privacy and the security of members’ data is a growing concern as the first stage of open banking implementation approaches in Canada.
As part of Cyber Security Awareness Month, we wanted to provide credit unions with cyber security considerations for open banking as members’ financial privacy and security becomes a priority for financial institutions. The first phase of Canada’s open banking rollout is likely to begin in fall 2023, where read-only access to data will be made available to third-party financial service providers via application programming interfaces (APIs).
In practice, open banking will allow credit unions to deliver their members the best financial products and services specific to their individual needs. Lenders can get a more accurate picture of a person’s financial situation and their risk level, which will help lenders offer more suitable loan terms. Open banking will provide access to tools which will enable members to better understand their financial situation and control their finances better.
Credit Union Impact
Open banking does come with risks. Current practices of data sharing have members accessing third party applications which they find valuable to manage their finances and businesses. These organizations are not regulated and they store members’ credentials within their systems and have captured member data beyond what is needed to provide their services. The current practice is fraught with risk.
With open banking, the method of sharing data is more secure in that only the consented data is shared; no credentials or non-consented data is shared. Though it’s true that a third party could be breached, this risk exists today with whatever data the third party has collected through screen scraping. The difference with open banking is that the third parties will need to be accredited, meet security and privacy standards as well as adhere to the liability rules. Credit unions will need to maintain compliancy with the rules and regulations in order to participate in open banking. As open banking becomes more widely adopted, the volume of data consumed by third parties will increase. Security will need to increase over time as new threats emerge and fraudsters find new ways to target and exploit consumers online.
That possibility illustrates some of the biggest concerns with open banking: privacy breaches, data security, cybercrime and fraud. The financial services industry is already a significant target of fraud and hacking attempts, as shown by a 2018 report from Statistics Canada that found financial institutions ranked highest, at 47%, for cyber security incidents. Open banking has the potential to magnify the impact of breach and cyber security incidents when they happen, which could mean reputational risk and erosion of member trust.
The good news is that the same report found that financial institutions were much more likely to have security requirements in place than other businesses surveyed. While that’s an important differentiator, financial institutions need to do even more in the world of open banking. Particularly when it comes to agreements governing relationships with third parties to make sure they also have the right security measures in place. While cyber incidents are always a threat, we can look to other jurisdictions to see the how open banking has impacted the number of cyber incidents. According to the OBIE in the UK, there was a rise in cyber-attacks at the beginning of the pandemic, but they have not significantly increased since the implementation of open banking. According to Brendan Jones, COO at Konsentus, open banking has been a success in the UK because of how much effort was put into their standards, framework and regulations.
While the security capabilities credit unions will need to put in place aren’t new, the level of rigor and coverage will change as you embrace open banking. It is essential for credit unions to review their security architecture and controls, especially for their member-facing applications. Credit unions will also need to enhance their fraud management controls and cyber protections.
APIs also aren’t new, but with open banking increasing the speed and volume of data sharing, organizations will need to have more controls in place to detect when fraudulent activity may be happening. For example, a sudden increase in the volume of activity is something they’ll need to immediately detect and act upon.
Evolving areas, such as customer identity and access management, help organizations to better understand member behaviour and patterns and immediately detect anomalies as they occur. The progress Canada has made through efforts like the Digital ID & Authentication Council of Canada (DIACC) goes a long way in planning for changes like open banking. DIACC recently released a Pan-Canadian Trust Framework, which forms the basis for Canada’s full and secure participation in the evolving digital economy. The framework focuses on reliable, secure, scalable, privacy-enhancing and convenient solutions for digital identity.
It’s also important for your credit union to establish a strong data stewardship model to provide accountability for privacy across your digital ecosystem. In an open banking environment, a system is only as strong as its weakest link. Therefore, it’s important to work out what an appropriate privacy assurance model would look like to give members, employees and Boards comfort over who’s plugging into open banking, a data-sharing ecosystem.
Member Impact
Cyber security for open banking is not only a concern for financial institutions, but for members as well. EY showed that 48% of consumers had negative opinions about open banking due to the data and cyber security concerns. Danger seems to be everywhere. From malicious third-party apps, data breaches, fraud, hacking and insider threats ― all are possible threats.
Open banking puts the member in control of their privacy, who has access to their data, for how long and for what purpose. But that information needs to be clear and easy to understand for members and their consent preferences must be enforced. That’s hard enough to do within a credit union, let alone when many players are involved. Promoting data openness and transparency gains trust amongst members and ensures they know what information is shared. It is essential that credit unions ensure explicit consent and equip members with the tools and education to monitor their accounts and detect suspicious activity.
API Security
Financial services institutions of all sizes have recognized that open banking is essential to their ability to compete, providing a key component for their digital transformation initiatives and enabling them to create a competitive advantage.
Supplementing existing defenses and adequately securing the expanding API attack surface is crucial. Credit unions need visibility to provide an accurate and complete inventory of a financial organization’s APIs. Runtime protection is also essential to spot trouble areas by monitoring APIs to understand their normal versus abnormal behaviors, so you can stop attacks before they happen. Credit unions will also need to think about remediation strategies to bring the security insights they find on their APIs back into the development process to address them. This will allow credit unions to strengthen their APIs as they are being built and fix vulnerabilities before exploitation.
Open banking providers need to understand that API attacks occur over time. Credit unions need comprehensive context into API behaviors to spot threats, including continuous analysis of users and API calls. Obtaining that level of detail requires artificial intelligence (AI), machine learning (ML) and automation capabilities that can only be powered today by cloud-scale big data. With cloud-scale big data combined with learning over time, security algorithms get smarter, improving their ability to identify and stop bad actors.
What’s Next?
Financial regulators and government bodies are creating standards that all third-party providers and credit unions have to follow if they want to be a part of the open banking environment. Accessing open banking APIs is only possible for application providers if they went through an independent audit and proved that their systems and security controls are up to standards. Accreditation will go beyond just reviewing the APIs as there are a set of privacy, accreditation, security, liability and privacy rules that the organization will need to be compliant with. Credit unions will have to do that regularly after the initial audit to retain their authorization. At the same time, open banking regulations and local and regional protection laws create equal rules for everyone and enforces a high level of security.
Spotting unusual patterns in transaction monitoring that signal illegal activity or money laundering is one of the biggest challenges that open banking faces. Credit unions already have to enforce Know Your Customer (KYC) to identify and verify their identity initially and regularly over time. Rigorous customer identification is the first step to preventing financial crime and money laundering.
AI, however, can do more. With open banking, AI becomes more knowledgeable and more powerful. It learns based on more data and can develop a more accurate picture of a typical customer and their transactions over time. IT security has significantly evolved in the past few years. Now we have multi-factor authentication (MFA), user behavior analytics (UBA) and biometrics technology. MFA requires the member not only use a strong password (which is also important) but also adds another step to access an account. These can include additional security questions, a text sent to a user’s phone, or a biometric scan like a fingerprint to unlock an account.
At its core, open banking exists to build safe, transparent and trustworthy relationships between financial institutions, consumers and businesses. It’s there to help everyone involved manage their money better, have improved pricing and add transparency to current opaque loan processes. Ensuring that your credit union’s security posture is in place to leverage the benefits of open banking will be essential in the years to come.
To learn more about how Celero can assist you with all your security and open banking needs, talk to your Celero Account Executive or contact us. You can also follow Celero on LinkedIn, Twitter and Facebook and monitor the hashtag #CSAM2022 this month to discover resources to help keep your credit union secure.