Allowing financial institutions to share our personal data with third parties seems daunting, but the latest authentication standards should keep privacy sacrosanct.
The open banking movement promises a future of unfettered but secure sharing of customer financial information between firms, allowing for more user convenience and room for innovative products and services among financial service providers—and is rapidly gaining traction in Australia, which recently passed the Consumer Data Right (CDR) legislation.
CDR equips consumers to compare and switch between products and services more easily—and in doing so it also provides the legal grounds for open banking, allowing consumers to access and safely transfer their banking data to trusted parties.
The open banking regime will kick off in Australia on 1 February 2020, with the big four banks making access to generic product data.
A best-of-breed approach: Open banking in Australia
Open banking can open doors to innovation. Putting consumers in control of who they want to share their financial data with can lead to more competition among financial service providers, and this in turn can drive better efficiency, integration, and inclusion in the industry. On the flip side, however, this can also create new data security risks—especially during the transition of data and in the way that third party service providers manage this data.
Banks in Australia can seize the current opportunity to take a best of breed approach towards open banking that facilitates greater openness and new business models while also protecting the integrity of consumers’ accounts.
It is important that open banking is implemented via modern application programming interfaces (APIs) protected by high assurance Strong Customer Authentication (SCA). SCA applies to customer-initiated online payments, mandating additional authentication to be built into the checkout flow. SCA can protect users and prevent fraud, and such a model can also protect consumer privacy by providing granular access controls.
This allows the consumer to manage how much personal information is shared with a third-party service provider. This strong access control to the open banking API system allows banks to confidently provide a privacy-empowering interface to the customer where they have more control over the data they are sharing with any given third-party service.
In fact, SCA is fast becoming a standard across the financial services industry globally. Regulations are making it mandatory for financial services companies in the European Union. However, SCA is also proactively being adopted by forward thinking banks and financial services firms that are focused on offering a balanced experience that promises both convenience and security.
Secure, user-friendly way to meet regulatory requirements
Historically, strong authentication meant having to add additional steps or friction to the transaction process. The good news is that new, modern forms of authentication have emerged to allow organizations to implement strong, cryptographic authentication that is easy for their customers. These new and improved methods of authentication, such as those based on standards from FIDO Alliance and W3C, can help Australia to achieve its open banking goals without compromising user privacy or security.
Biometrics are a compelling proposition for banks and other financial services firms, due to their potential for greatly enhancing security while improving user authentication experience—and because a large portion of the fintech upstarts driving the open banking revolution are mobile-centric services.
These new standards utilize strong security techniques in combination with “one touch” biometrics and/or security keys, allowing the proliferation of smart devices to be used to provide stronger authentication without burdening users.
Designed with privacy in mind, FIDO standards strictly prohibit biometric or other user data from being stored and matched on servers. Instead, they advocate a modern, decentralized approach to authentication based on public key cryptography where users authenticate locally on their smartphone, laptop, or other personal device, which then signs a cryptographic authentication challenge from the service provider’s server. Through this process, sensitive information never leaves a user’s device.
It is crucial that the financial services industry in Australia take a modern and secure approach to authentication as they design and introduce open banking offerings that factors in data security, usability, and privacy protections for consumers. These factors are especially important to instill consumer confidence, which in turn will open the door for widespread adoption.