How Secure Is Open Banking?

How Secure Is Open Banking?

Open Banking is hailed as a revolution in finance. It allows bank account information to be shared with verified third-party providers. Read on to find out why, despite its open character, it’s totally secure.

What Is Open Banking?

“Open Banking is a new way to have your money work better.” That’s the fitting conclusion the institution behind the British Open Banking standard comes to when summarizing what Open Banking represents. And it highlights the benefits succinctly: “It’s secure, it’s fast, and it’s convenient.” Open Banking is regarded as a technological revolution in finance. According to the official Definition by the Swiss Bankers Association, “Open Banking is a business model that is based on the standardized and secure exchange of data between the bank and trusted third-party providers.”

Put simply, it involves enabling bank customers to share and use their financial data for other services. For example, a FinTech app aggregates your assets, even if they are held across a variety of financial institutions. This is made possible, for example, by the standardized interfaces of the OpenWealth association, which champions broad and harmonized data exchange in asset management. Members include renowned Swiss banks and 42 WealthTechs – i.e., new, often tech-related companies that develop new applications and services.

The estimate from the market research company Grand View Research bears out how great the potential of Open Banking is for the financial sector: The global market for Open Banking is expected to grow from 20 billion dollars today to 135 billion dollars by 2030. Annual growth: 27%.

“Open” Banking? How Secure Can That Be?

An open front door is an invitation to burglars. An open letter can be read by anyone. An open person reveals a lot about themselves. So, it’s completely understandable that the term Open Banking raises some questions. One wonders: Is it secure if banks share data with third parties?

The answer: Yes, Open Banking is very secure. When a third-party app aggregates the data regarding your account, it occurs via modern interfaces known as Application Programming Interfaces (APIs). APIs are a proven technology in the digital economy and allow the exchange of information between computer programs, whereby everything happens in accordance with a clearly defined process, and involves exchanging only that data which is truly necessary. The theoretical concept originates in the 1940s, and the name API has been used since the 1970s. According to estimates, there are 200 million different APIs currently in use, either for company-internal purposes, or for the secure exchange of data with third parties.

A key element with Open Banking is the standardization of APIs. This involves the defining of strict rules and specifications regarding the exchange of data, for example in the case of payments, asset management (see OpenWealth), or loans. This results in standardized, efficient, and scalable dataflows between the participating financial institutions and third-party providers.

Only Controlled Access to APIs

For banks and their technological infrastructure, there are strict regulatory security requirements that also apply to the APIs that they offer as part of Open Banking. For their part, third parties are granted access to these interfaces only if they can demonstrate that they meet defined security criteria.

Many countries have introduced regulated Open Banking (e.g., the UK and the EU with PSD2). In these countries, the relevant financial oversight authorities review third parties with regard to the stated security requirements and issue licenses with clearly defined access rights. Switzerland (still) takes a market-driven approach. In other words, the regulator leaves the implementation of Open Banking to the financial sector. This means that banks review third parties themselves – or they commit to using a central API platform such as bLink from SIX, which conducts a standardized authorization check of all participants.

Control and Transparency: Data Exchange at Customer’s Request

Once banks and third parties are connected, it doesn’t mean that they will exchange data indiscriminately. Open Banking is always a customer-driven service. That is, access to data is granted only if the customer gives their explicit consent. It features one big advantage: Customers don’t share their login data, PINs, or passwords with third parties, but conveniently activate them within their online banking app via the OAuth 2.0 Standard (authorization of third parties to access data) and two-factor authentication (identification check of bank customer). They thus agree to selected third parties accessing their data for specific purposes. Customers can rescind access rights at any time, and therefore have full control and transparency over who they grant access to, and for what purpose. In the finance sector, this is known as Consent Management.

The Poor Alternative: Screen Scraping

Another alternative used worldwide for the exchange of data between different computer programs (whereby this is just unidirectional) is called screen scraping. This involves the archaic approach readout of web information. To do this, bank customers have to provide their online banking login information to third parties, whose services then read and capture the data. This is risky for a couple reasons. Firstly, because third parties, and any hacker who might attack, obtain access to all online banking services. Secondly, it delivers low-quality results because error-free capturing of data from a computer screen is a challenging task. It’s no wonder than a number of countries have banned screen scraping.

FDX: Open Banking vs. Screen Scraping in the USA

Like Switzerland, the USA takes a market-driven approach to Open Banking. Because banks were reluctant to share their data, American FinTechs long had to resort to the screen scraping method. But then the financial institutions realized that they had no control over data access by third parties, and that there was no transparency. In addition, bank customers didn’t know what data from their online banking activities was being read by FinTechs.

To counteract this, the Financial Data Exchange (FDX) consortium was formed in 2017. Some 200 financial institutions and FinTechs, including big names such as Chase, Citi, PayPal, and Plaid became members. FDX aims to establish the efficient exchange of data using standardized APIs in the US financial sector, and to thereby replace screen scraping.

The situation in the USA is comparable with that in Switzerland. “If we can’t get together in a way that actually drives innovation and full data access, then the regulators will just step in and regulate around this,” said Steven Smith, CEO of Finicity, and Co-Chair of FDX, at the consortium’s inaugural meeting. Today, more than 53 million accounts are connected to FDX’s APIs.

Open Banking Is Like a Charger That Works with Any Smartphone

Arturo Bris, a professor at the renowned IMD Business School in Lausanne, has written on the advantages of standardized APIs in relation to Open Banking. “A good analogy is phone chargers; imagine the convenience of a universal phone charger that works with iPhone, Samsung, and Huawei.” And on the topic of security, he adds that “From the customer perspective, so long as you can control who accesses your data, you are much better off if your bank can open up your accounts and data to third parties. The three boxes of efficiency, security, and compliance are met.”