Interview with HID Global on the role of authentication in the Open Banking ecosystem

Rules have now come into effect, requiring banks to share their customers’ financial information with other authorised providers using open Application Programming Interfaces (APIs). However, this makes banks dependent on the security of the Third Party Providers (TPPs) using these APIs. What are the possible risks of this new Open Banking era?

Under the Open Banking initiative, institutions must open their APIs to give TPPs access to their customer data. In other words, if a bank’s customers want to use one of these TPPs, the bank must give the TPP access to its stored data about them and allow the TPP to serve these customers via the open communication interface.

Open Banking benefits financial institutions by enabling them to build new business models around a variety of innovative and more personalised customer services. But it also exposes a bank’s customers to a greater risk of fraud since their financial data must now be shared with multiple TPPs. The problem is not so much that the data is being shared through Open APIs, but that it might be shared without properly authenticating both the TPP and user.

In this context, I would like to emphasise two points that will play a critical role in the future. First, banks must prevent data loss, identity theft and non-compliance with data protection regulations by using identity verification and fraud prevention solutions that ensure personal data is shared only with the consent of its genuine owner. Second, banks will need to ensure that each TPP is known, trusted, and has strong enough security policies in place to safeguard all shared data.

Strong customer authentication is especially important and must be the central element in the Open Banking API ecosystem. It must be a priority both for banks, which already understand that sensitive data requires high security and protection, as well as for TPPs, which are only at the beginning of their learning curve.

What security measures should banks adopt to address these threats and challenges?

Banks have come to realise that they will be the central point of authentication in this growing financial ecosystem. When data must be shared with a TPP, the bank is in the best position to deliver a seamless authentication experience that does not compromise security. Customers will not tolerate an authentication experience that meets security requirements at the expense of convenience. They have come to expect easy, on-the-go online access and mobile transactions and will not accept time-consuming processes in this emerging Open Banking ecosystem.

Different authentication models have their own characteristics and security implications. Can you please describe the ideal authentication process?

In this new digital era, the authentication process must be based on an adaptive security approach in which the level of complexity depends on the risk associated with the transaction. This risk level is established based on multiple parameters including malware detection, geolocation, IP address, and how the customer is using a mouse or keyboard or displaying other behaviours. Some solutions can evaluate a transaction’s risk level based on characteristics of the user device and its browser and other attributes.

If the risk level based on these parameters is defined as low, authentication may only require a username and password. If it is defined as high because the transaction is being conducted with an unknown beneficiary at an unusual place and time, additional authentication methods may be required to prove the user is who he or she claims to be.

It is also important to understand that growing use of connected devices has expanded the attack surface for financial fraudsters. Risk-based advanced authentication will need to take into account the entire environment in which customers are transacting to provide the necessary protection.

Since PSD2 allows third party providers to access customers’ payment account data, in what way is this directive aligned with GDPR? How will discussions about data analytics evolve over the next 5 years?

Open banking is about sharing data and making it available to TPPs. GDPR, on the other hand, aims to ensure that nobody can steal personal data. In fact, the goals of GDPR, Open Banking and PSD2 are all aligned around giving data ownership back to users. This is where security plays a key role, and GDPR brings an additional layer of requirements for securing sensitive data.
Machine learning and AI will enable banks to collect and analyse data so they can make smarter real-time decisions about the next action to take when a threat is detected, including whether to approve, block or reject a transaction. Adaptive authentication processes will enable them to define security levels based on existing risk.

As these technologies are brought to the Open Banking API ecosystem, we will also see financial transactions based on connected devices. Within this ecosystem, the use of static multi-factor authentication methods will decrease and we will see a migration to continuous data analysis that improves risk-mitigation decision-making and creates a more secure transaction environment.

This interview was first published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018-2019. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About Olivier Thirion de Briel

Olivier Thirion de Briel is Global Solution Marketing Director for the banking sector at HID Global. In this role, Olivier leads the banking strategy and product marketing for the IAM solutions business unit. Prior to joining HID Global, Olivier led the cloud strong authentication offering at OneSpan (former Vasco) and the Oberthur Technology’s strong authentication product line. Olivier holds an MBA from INSEAD, as well as an MSc in computer and electronic science.

About HID Global

HID Global is the leading provider of trusted identity and access solutions for people, places and things. We enable organizations and enterprises in a variety of industries such as banking, healthcare, and government to protect digital identities in a connected world and assess cyber-risk in real-time to deliver trusted transactions while empowering smart decision-making. Our extensive portfolio offers secure, convenient access to on-line services and applications and helps organizations to meet growing regulatory requirements while going beyond just simple compliance.