Protecting an Open Banking World

  • Mary Ann Miller, Senior Director, Fraud, Executive Advisor & Industry Relations at NICE Actimize

  • 30.03.2018 10:00 am
  • undisclosed

How can financial institutions adjust to the benefits and challenges of Open Banking?

Interview with Mary Ann Miller, Senior Director, Fraud, Executive Advisor & Industry Relations at NICE Actimize.

With the introduction of Open Banking initiatives across Europe, there has been an initial backlash by consumers, who worry their data may be unsafe. With APIs representing a whole new channel to secure, there is potentially a gaping hole in a bank’s perimeter defense, so consumers’ concerns are not unfounded.  As Open Banking moves to the rest of the world, how can other countries move more quickly to address security issues around Open Banking?

In Singapore, the Monetary of Singapore (MAS) and Association Banks in Singapore (ABS) launched its own Open Banking initiative in late 2016. It is expected that in 2018, 25 percent of Financial Institutions (FIs) in the APAC will have adopted Open Banking. As the world moves quickly to adoption of an Open Banking approach, it is certain that financial services organizations must not overlook the need for protection.

Financial IT: What does Open Banking mean and how is it taking affect across the globe?

Mary Ann Miller (MAM): Open banking provides a mechanism for innovation to spawn in global markets. Since Open Banking requires institutions to open up their environments to interact with third parties, this capability can lead to some unique products, such as the creation of a new place for customers to manage bills and budgets; or it may enable a third party that helps them reach retirement goals or find the best value for their shopping needs by providing coupons.

These new innovative ventures are already emerging. In Europe, they’re forcing Open Banking through the Payment Services Directive 2 (PSD2) regulatory action, which requires banks to open APIs to third party providers. In the U.S, where banking regulated differently, the nature of the market is very competitive and embraces these innovations. We’ve seen Open Banking propositions like PayPal growing by the day.

Financial IT: How will Open Banking change e-commerce, mobile payments and mobile wallets?

MAM: We anticipate seeing Open Banking bringing improvements to such industries as public transportation. In London, you can now use Apple Pay for the underground, and the New York Subway system is going the same way. Singapore was an early pioneer with PayNow, which was launched a few years ago. 

With e-commerce companies like Amazon, payments traditionally go through the card network. In the future, consumers will pay directly from their current account. Amazon can initiate the transaction on the consumer’s behalf by communicating directly to the paying bank through an API. The same goes for other Point of Sale (POS) examples. For retailers accepting this kind of payment, they’ll gain access to immediate cash flows, not to mention reduced fees per transaction.

Financial IT: We hear a lot about Alexa payments. What is the role of voice payments in this scenario?

MAM: When we hear the term ‘Alexa,’ we tend to think of Amazon’s line of smart-speaker devices and the voice-activated artificial intelligence (AI) that allows us to speak to devices using natural language. In this emerging category, and in the context of open API banking, a third party can make API calls over the internet. They’ll then convert the voice-instructions to a function that the bank makes available in its API. The bank doesn’t receive the voice recording, but some conversion of that voice command into a well-defined instruction. From a fraud prevention perspective, that means there is information about that voice interface, such as its version or some voice biometric identity markers, that is sent to the bank to judge whether there is some associated fraud risk with that user session.

Financial IT: We’ve talked about Open Banking retail scenarios. How do you predict Open Banking will first occur in the corporate setting?

MAM: Corporates and FIs are already beginning to think about how they can leverage APIs to enable better business products such as payroll services or expense and travel reimbursement systems. With these innovations will come more complex fraud and the need for even more detailed fraud strategies.

Financial IT: What drove Actimize to develop a separate solution for Open Banking?

MAM: Actimize has a big European base of top tier banks, in the U.K. and Germany especially, among its clients. We assess fraud risk by considering the payment event, the access or channel and the entities involved. APIs are clearly a different channel. However, the bank doesn’t control the device anymore. We’re seeing issues with Third Party Providers, such as insider fraud, point of compromise and stolen banking credentials.

Financial IT: What does Open Banking as a new channel to protect mean for fraud strategy?

MAM: We’re calling this “Open Banking-flavored fraud.” This means that some bad actor can take advantage of this new channel. Similar to digital banking in the online bank or mobile banking apps, the open API as a banking channel introduces a new “attack surface area.”

With Open Banking, we can also expect more account takeover scenarios. As a financial institution, you can only rely on how well the third party or FinTech is identifying who is accessing its application. Fraudsters have entirely new targets now to gain control of and the FinTech application acts as a proxy into the core customer accounts at the bank.

Financial IT: Social engineering schemes are dominating fraud attacks and losses in both retail and commercial settings now. How does Open Banking add to this problem?

MAM: The promise of Open Banking creates a new ecosystem of banking services by FinTechs, and each becomes its own target for social engineering. We see classic social engineering repeatedly, such as romance scams on Facebook, email compromise or social engineering that comes from a fraudster calling the customer as the FinTech. All of these methods are particularly good environments for fraud if a third party or FinTech is providing services or products that relate to a real-time payment.

FinTechs can also be targeted for phishing attacks that mimic formal communications to steal banking credentials. In the event of some security risk to the account, are users expecting a call from their bank? Or from the FinTech? This can get confusing to the end-user.

Financial IT: What are the most important points of an Open Banking fraud strategy?

MAM: We look at an open banking strategy through three areas. First, there is Channel-specific fraud detection, where the banking service event occurs. From the perspective of a bank, it’s through the API gateway, which is why we refer to the open banking as a channel. Next, there is Payment-specific analytics, which is about evaluating the specific type of banking transaction, such as a payment initiation or approval. Last, one must consider Operations for an open banking environment, such as how you react to a suspicious transaction, or how you try to re-authenticate the customer.

Financial IT: What are the authentication challenges linked to Open Banking?

In some geographies, individual regulators are addressing this subject directly. However, regardless of the authentication required by regulators, financial institutions must carefully facilitate fraud controls with the authentication journey with the customer. To the customer, a new channel should perform effortlessly. While improving security, financial institutions must also consider the overall customer experience.  

NICE Actimize is a leader in providing Autonomous Financial Crime Management. As the largest and broadest provider of financial crime, risk and compliance solutions for regional and global financial institutions, as well as government regulators NICE Actimize is consistently ranked as number one in the space.  NICE Actimize experts apply innovative technology to protect institutions and safeguard consumers and investors assets by identifying financial crime, preventing fraud and providing regulatory compliance. The company provides real-time, cross-channel fraud prevention, anti-money laundering detection, and trading surveillance solutions that address such concerns as payment fraud, cybercrime, sanctions monitoring, market abuse, customer due diligence and insider trading. Find us at www.niceactimize.com, @NICE_Actimize or Nasdaq: NICE.

Other Blogs