Securing UX in Open Banking Apps

Historically, only large, well-established banks had control over the majority of consumer and corporate finances, making it highly challenging for smaller financial services providers to break into the market. Open banking has transformed the way organizations and consumers manage their money, as users can now conveniently access their finances from the comfort of their homes. This revolution in banking has also presented a wealth of opportunities for small financial organizations to provide competitive services and for developers to design the latest innovative open banking apps.

Open banking leverages application programming interfaces (APIs) that enable consumers and businesses to share their data upon request with just a few taps on their devices. Open APIs enable data to securely travel from one place to another as it is exchanged between apps, platforms and third parties. This data is then aggregated and presented to the user in an easy-to-operate interface. With all their information in one spot, users have a holistic view of all their finances, with the ability to transfer funds, conduct transactions and locate deals on credit lines, loans and time deposits.

Despite the advantages that open banking apps offer, they also give rise to a number of security challenges that come with personal data sharing. Open banking providers must ensure they are strictly adhering to compliance standards and security best practices to safeguard consumer data.

Rigorous Consent Controls on APIs

Customer consent is the basis of building trust between a business and a user. The open banking industry won’t be able to reach its predicted size of $43.15 billion by 2026 if customers don’t believe the platforms are trustworthy. To ensure all data navigating between apps and services is strictly secure, companies must implement consent controls at the object level, such as on their APIs. This allows users to manage permissions by selecting which third parties can access their data, which can exchange their data and when, as well as the length of time they’d like their data to be shared. For instance, social media apps always ask users for permission before posting on their behalf or sharing their data with other third-party apps. In the same sense, open banking providers must obtain customer consent before sharing their information with other platforms and financial organizations.

Enforcing Data Regulations at the API level

The rise of data privacy laws—like the California Privacy Rights Act (CPRA) as well as open banking regulations like the Consumer Data Standards (CDR), Financial Data Exchange (FDX), Payment Services Directive (PSD2) and UK Open Banking Implementation Entity (OBIE)—have enforced stricter standards and mandated penalties for organizations that mishandle consumer data. While technological advancements such as open banking provide infinite benefits to organizations and their customers, they also introduce attack vectors, including insecure APIs, that can result in data leakage and theft. According to Gartner, APIs will be the most common attack vector for data breaches by 2022. Open banking app providers must protect their APIs with strong identity and access management (IAM) solutions to prevent unauthorized third-party access and exposure of personally identifiable information (PII), otherwise, they may be penalized for failing to comply with data regulations. Organizations that don’t abide by privacy laws risk facing costly fines, loss of customers, a damaged reputation or even the loss of their entire business.

Identity and Access Management and Zero-Trust

IAM has become a critical component of modern cybersecurity protocols to ensure digital identities and company resources are protected. Unfortunately, traditional, outdated IAM tools only provide organizations with further complications and vulnerabilities. Companies must deploy IAM solutions leveraging a zero-trust framework to continuously authorize users based on their context in real-time. These capabilities monitor their usual behavior, activity, device and location to determine if the person requesting access is truly the account holder. Since zero-trust never assumes identity, users will be regularly authenticated, even if they initially appear trustworthy. A zero-trust approach to IAM also bolsters productivity and usability, thus encouraging users to take full advantage of open banking apps.

The use of open banking platforms has dramatically changed banking as we know it, offering a variety of benefits to businesses and consumers that weren’t available before. However, such innovations come with added risks if not properly secured. Organizations must ensure they aren’t misusing the data their customers are trusting them with and that all financial data is protected with well-built APIs. By following IAM best practices and complying with data regulations, financial services organizations can provide their users with a seamless and secure open banking experience.

Avatar photo

Jasen Meece

Jasen Meece is the CEO of Cloudentity and a member on the company’s board.  He has over 20 years of leadership experience across identity access management, security, cloud and IT operations having held executive positions in IBM, KPMG and Oracle. Prior to Cloudentity, he was a managing partner at IBM helping grow its cloud identity service business.

jasen-meece has 1 posts and counting.See all posts by jasen-meece