Across Asia, economies are adopting open banking, but concerns have been raised over security and privacy of customer data.
When it comes to open banking, Singapore tops the Asia Pacific market in terms of readiness and adoption. This is according to global financial service provider Finastra’s 2018 Open Banking Readiness Index, which surveyed 14 markets in the region. The widespread support for adoption is also keenly felt across Asia, with countries like Australia and Hong Kong coming in as the second and third leading markets in open banking readiness, scoring 7.1 and 6.6 points out of 10, respectively.
Notably, Singapore’s high placement can be attributed to the proactive efforts of the Monetary Authority of Singapore (MAS) to embrace technology. Even at a global level, Singapore’s approach to open banking has been progressive, with the regulatory authority publishing its first-ever API playbook in 2016 to encourage adoption.
Such moves are critical, given that application programming interfaces (APIs) give bank customers the flexibility to share their financial data with third-party applications and are a key interface required to help open banking succeed. By contrast, the UK officially adopted open banking only last January.
But amid this move to enhance customer loyalty and engagement within the banking industry, the notion of banks having to share sensitive and confidential customer data with applications that sit outside their standard security perimeters are forcing a couple of them to stick to their traditional banking business models. Such concerns are understandable, especially in the face of a breach, which could result in hefty fines and loss of user trust. For the first half of 2019 alone, S$1.28 million in fines were issued to companies in Singapore for being careless with user data.
Sharing users banking data across fintech ecosystem requires a security-first approach, here are four of the top ones that warrant some attention:
1. Building trust through transparency
In today’s experience-led economy, the successful adoption of open banking is largely reliant on a bank’s ability to provide transparency and open communication with users on how their data is being used. According to Splendid Unlimited’s 2018 Unlimited Possibility Report, only one in four people have heard of open banking. As a result, a common misconception among users is that open banking forces them to share their personal information with third-party applications.
In retrospect, users ought to be explicit with the type of information they are willing to share with banks and their third-party applications. With data privacy laws like the GDPR introducing much higher standards for obtaining personal information, consent management has become increasingly granular in ways that have compelled businesses to reshape their data policies so that users themselves are given the choice to grant and revoke information access from third parties.
2. Maximizing user protection through testing
During the early 2000s, financial institutions (FIs) adopted APIs to break silos and create stronger, more dynamic user ties. With open banking, however, FIs will now have to adopt ‘open’ APIs to allow third-party applications to access user data. This, in turn, aims to provide fairer access to products and services that will help users better manage their finances.
It is naïve to think that APIs will only be used as they were intended. So, while regular vulnerability scans and penetration tests are a must, FIs looking to adopt APIs as part of their move to open banking could also consider placing a bug bounty on API vulnerabilities. This exercise of crowdsourcing a pool of talented and skilled security researchers for security vulnerabilities will not only ensure that your business has an up-to-date understanding of your risks but also acts as an efficient and cost-saving method for continuous testing.
3. Fighting fraud with depth in defense
By providing user information access to multiple parties, open banking levels the playing field between traditional FIs and the new disruptors. However, such possibilities have simultaneously widened an FIs attack surface to potential cybercriminals and brings in new risks for data exposure. To tackle such threats, FIs must deploy strong authentication standards to understand user behavior and detect fraud. Enter behavioral detection.
When used in fraud prevention, inserting behavioral detection into machine learning models can identify common user behavioral patterns such as transaction habits. This can be used along with threat intelligence feeds that monitor common mobile application usage patterns performed by users to spot anomalies. Such implementation of additional risk detection technologies not only enforces security that runs seamlessly in the background, but also protects customers at every stage without affecting their experience.
4. Collaboration that brings forth innovation
The high take-up rate of open banking across Asia has also placed increasing competitive pressure on FIs to establish API dominance early. To make meaningful progress in open banking, FIs should strike a proper balance between security and the adoption of digital initiatives to spur innovation at scale. In Asia, Maybank Sandbox serves as a good example of how it is providing FIs with real banking APIs to execute banking functions to trial and test new ideas. The Sandbox approach gives developers access to simulated data that results in the creation of smarter and more secure end-to-end solutions for customers.
Every new and emerging technology brings its own set of challenges and risks. In the case of open banking, however, all members within the open banking ecosystem need to realize that its potential to completely rewrite its relationship between banks and customers is a far cry from the security demands it brings. This can be as simple as securing an ecosystem for the collection of user data, or even exercising transparency on technology itself.