Open Banking: When Old News Resurfaces
Sometimes old news resurfaces, and it is old enough the reader thinks it is new news. That is exactly what has happened with American Banker’s January 6 article “A Cautionary Tale of Open Banking.” “Open Banking,” the industry-leading trend to centralize member data on a relevant core processor and extend that data to vendors via an API interface, is not a new concept for 2020, and the risks the authors mention have been managed and addressed more than five years ago.
I want to go on record saying that this is news that was valuable, five years ago. In other words, it’s old news. Beyond being old news, what about the premise that supports the so called “cautionary tale”? Authors Kosoff, Bridgers, and Lee argue that open banking exposes financial institutions to greater risk of fraud and cyberattacks. The underlying assumption is that third parties, such as online and mobile banking vendors, authenticating against a modern core API (“open banking”) will result in the inevitable exposure of sensitive information transmitted across channels visible to hackers or malcontents. This is an old fear that needs to be put to rest.
Far from a cautionary tale, our years of experience at DaLand CUSO have consistently demonstrated that Open Banking is far more secure than traditional arrangements. In fact, your financial institution may be at risk if you do not centralize and secure your members’ data on a modern API core processor. Open Banking is a critical paradigm shift in the financial industry, with significant advantages and better management of risks.
In the first generation of digital banking, which has been called “Banking 2.0” since the late 1980s, member data is routinely spread across multiple vendors which interact with each other and the core processor. BillPay information, for example, might be stored at a vendor’s data center in North Carolina, check images stored in a server farm in Indiana, and online banking login credentials and email contact stored in India. Not only is this data not centralized, it is also not fully available to the financial institution for data analytics because it lives at the vendor’s site. While there may be industry standards for data security, nonetheless the data is spread around in multiple locations. Each additional vendor database is potentially an additional risk to security.
Banking 3.0 or “open banking” represents trends in the past decade to centralize data into a relevant core, and extend real-time access through an API interface. This means that instead of vendors housing the data, they are granted permission to query the core processor, where the data resides. The advantages to this arrangement are as follows:
- every call to the core is logged
- every interaction with the database can be audited
- every transaction is performed by an authorized user with unique credentials and privileges.
- No user, including the FI, has back-door access to make fraudulent changes to member data.
- After the session ends, data isn’t replicated and stored anywhere outside of the core
Quite simply, Open Banking isn’t open to more risks.
In our experience at DaLand CUSO, most critical breaches of security take place when old database systems from the Banking 2.0 era can’t keep up with modern needs, and clunky vendor arrangements are multiplying opportunities for mapping errors and items lost in translation. You wouldn’t expect your grandparents’ 286 computer to offer the security of an iPhone X, would you? Neither would we. Little to none of the leading hardware and OS providers have a backdoor to unlock your device, and yet millions of apps are available for use.
Open, and yet secure.
“A Cautionary Tale of Open Banking” is an artifact that represents fears and assumptions that were put to rest years ago. And lingering risks are quickly expiring through recent innovations, and the future development potential, of the “Banking 3.0” “Open Banking” paradigm. It is past time to secure your FI’s data on a relevant API core, in order to minimize risk and maximize opportunity. DaLand CUSO has been operating with real data and proven strategies for the better part of a decade. When you’re ready to kill false assumptions and put old fears to rest, we have the minds to make your FI relevant again.