Open Banking: Open for Business

Context have worked with a number of organisations to help them integrate securely with the Open Banking ecosystem, both banks (ASPSPs) and third party providers (TPPs). This post is the first in a series of articles where we will share some of the knowledge accumulated in the process. Future posts in this series will cover challenges with Open Banking, the permission model in use, and tooling available for testing.

By Margus Lind

Lead Security Consultant

27 Mar 2020

Before we begin, let’s define a few acronyms:

  • ASPSP Account Servicing Payment Service Provider (let’s call it a bank)
  • TPP Third Party Provider (e.g. a FinTech startup)
  • PSD2 Revised Payment Services Directive (new rules created by the European Union to foster integrated, safer and open banking)

A full glossary is available here.

An Introduction to Open Banking

Open Banking is the UK implementation for PSD2. On top of the PSD2 regulations, Open Banking provides a detailed specification for banks and third parties to follow when communicating with one another. This allows companies (TPPs) to build their applications and integrate with online services exposed by any bank (ASPSP) in a standardised way. A common interface for all banks, if you will.

The below diagram illustrates how the components and roles fit together in a simplified fashion:

Figure 1 - Artistic rendition of Open Banking

 

For example, Open Banking enables the end user to view their current account balances held with different banks and allows applications to display the information all together in one coherent dashboard. This gives the user an overview of all their finances in one place. At the same time, there are grave risks associated with trusting third parties with excessive access to banking information, or even worse the full online banking portal. Using the Open Banking APIs, the user is able to manage granular access permissions to each of their accounts directly through the bank for the account in question. This access, enabled through Open Banking, is how banks' mobile applications can show account details from other banks. As implied by this model, a bank can perform as both an ASPSP and a TPP simultaneously, albeit as different entities. Alternatively, they might rely on a third party to provide the platform for accessing account data from other banks.

Open Banking is revolutionary in allowing third party providers to access data and interact with customer bank accounts. At the same time, Open Banking sets strict guidelines to ensure customers have an overview and control of who is able to access their data. As such, a third party can legitimately operate on bank accounts, providing an alternative interface or richer features than the bank itself. This is a fundamental change in how customers interact with their banks, which attempts to introduce sweeping changes and innovation within traditional financial institutions.

Implementing the required changes internally to support a common API is a complex undertaking as it introduces a whole new channel for external entities to interact with the bank. The final PSD2 compliance deadline was 14 September 2019, however many banks are experiencing difficulties with fully implementing the APIs and integrating with the Open Banking ecosystem within the strict deadlines set out (see here). For urgent complex projects affecting core services, it is essential that development and testing (functional and security) are performed to the highest standards. This requires both the Banking and Security industries to innovate new ways to work together and deliver large scale projects.

Providing the APIs is only the first step of the whole endeavour. Following this, next steps will be for organisations to start using the APIs to provide advanced services and the public to understand what consenting to an access request entails. Both of these facets reveal additional interesting security concerns that, once solved through collaboration, should lead to a brighter future for bank customers.

In the next post of the series, we will be delving deeper into the technical and social challenges associated with introducing Open Banking based services.

Subscribe for more Research like this

About Margus Lind

Lead Security Consultant

Find out more

Book a Meeting

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor