How Secure Is Open Banking?

“Open Banking is a new way to have your money work better.” That’s the fitting conclusion the institution behind the British Open Banking standard comes to when summarizing what Open Banking represents. And it highlights the benefits succinctly: “It’s secure, it’s fast, and it’s convenient.” Open Banking is regarded as a technological revolution in finance. According to the official Definition by the Swiss Bankers Association, “Open Banking is a business model that is based on the standardized and secure exchange of data between the bank and trusted third-party providers.”

Put simply, it involves enabling bank customers to share and use their financial data for other services. For example, a FinTech app aggregates your assets, even if they are held across a variety of financial institutions. This is made possible, for example, by the standardized interfaces of the OpenWealth association, which champions broad and harmonized data exchange in asset management. Members include renowned Swiss banks and 42 WealthTechs – i.e., new, often tech-related companies that develop new applications and services.

The estimate from the market research company Grand View Research bears out how great the potential of Open Banking is for the financial sector: The global market for Open Banking is expected to grow from 20 billion dollars today to 135 billion dollars by 2030. Annual growth: 27%.

An open front door is an invitation to burglars. An open letter can be read by anyone. An open person reveals a lot about themselves. So, it’s completely understandable that the term Open Banking raises some questions. One wonders: Is it secure if banks share data with third parties?

The answer: Yes, Open Banking is very secure. When a third-party app aggregates the data regarding your account, it occurs via modern interfaces known as Application Programming Interfaces (APIs). APIs are a proven technology in the digital economy and allow the exchange of information between computer programs, whereby everything happens in accordance with a clearly defined process, and involves exchanging only that data which is truly necessary. The theoretical concept originates in the 1940s, and the name API has been used since the 1970s. According to estimates, there are 200 million different APIs currently in use, either for company-internal purposes, or for the secure exchange of data with third parties.

A key element with Open Banking is the standardization of APIs. This involves the defining of strict rules and specifications regarding the exchange of data, for example in the case of payments, asset management (see OpenWealth), or loans. This results in standardized, efficient, and scalable dataflows between the participating financial institutions and third-party providers.

For banks and their technological infrastructure, there are strict regulatory security requirements that also apply to the APIs that they offer as part of Open Banking. For their part, third parties are granted access to these interfaces only if they can demonstrate that they meet defined security criteria.

Many countries have introduced regulated Open Banking (e.g., the UK and the EU with PSD2). In these countries, the relevant financial oversight authorities review third parties with regard to the stated security requirements and issue licenses with clearly defined access rights. Switzerland (still) takes a market-driven approach. In other words, the regulator leaves the implementation of Open Banking to the financial sector. This means that banks review third parties themselves – or they commit to using a central API platform such as bLink from SIX, which conducts a standardized authorization check of all participants.

Once banks and third parties are connected, it doesn’t mean that they will exchange data indiscriminately. Open Banking is always a customer-driven service. That is, access to data is granted only if the customer gives their explicit consent. It features one big advantage: Customers don’t share their login data, PINs, or passwords with third parties, but conveniently activate them within their online banking app via the OAuth 2.0 Standard (authorization of third parties to access data) and two-factor authentication (identification check of bank customer). They thus agree to selected third parties accessing their data for specific purposes. Customers can rescind access rights at any time, and therefore have full control and transparency over who they grant access to, and for what purpose. In the finance sector, this is known as Consent Management.

Another alternative used worldwide for the exchange of data between different computer programs (whereby this is just unidirectional) is called screen scraping. This involves the archaic approach readout of web information. To do this, bank customers have to provide their online banking login information to third parties, whose services then read and capture the data. This is risky for a couple reasons. Firstly, because third parties, and any hacker who might attack, obtain access to all online banking services. Secondly, it delivers low-quality results because error-free capturing of data from a computer screen is a challenging task. It’s no wonder than a number of countries have banned screen scraping.

Arturo Bris, a professor at the renowned IMD Business School in Lausanne, has written on the advantages of standardized APIs in relation to Open Banking. “A good analogy is phone chargers; imagine the convenience of a universal phone charger that works with iPhone, Samsung, and Huawei.” And on the topic of security, he adds that “From the customer perspective, so long as you can control who accesses your data, you are much better off if your bank can open up your accounts and data to third parties. The three boxes of efficiency, security, and compliance are met.”