Endpoint/Device Security, Security Architecture, Governance, Risk and Compliance, Data Security, Risk Assessments/Management, Compliance Management

As ‘open banking’ blossoms, application-based security becomes a concern

An iPhone is used to make an Apple Pay purchase at The Post Office on July 14, 2015, in London. (Photo by Peter Macdiarmid/Getty Images)

More financial institutions are often leaning toward providing an “open banking” experience where customers use applications to conduct transactions through their bank.

While useful, the reliance on applications can open the doors to new streams of potential financial fraud. Apple's entrance into open banking not only gives a greater weight and importance to this approach, it predicts the possibility of a more secure digital banking experience.

“Apple certainly sees the potential of open banking with their recent acquisition of U.K.-based Credit Kudos, which many people refer to as an 'open banking' company,” said Gary McAlum, senior analyst at TAG Cyber. “They could potentially move into payments technology, financial tools like budget alerts, and products such as buy now, pay later (BNPL).”

With the open banking move, Apple is looking to potentially leverage account-to-account payments into Apple Pay, enabling U.K. users to pay directly out of their spending or checking account.

Elan Amir, CEO of MeasureOne, a leading consumer-permissioned data exchange platform, said that it is “always hard to know what Apple’s plans are, but being a 'closed garden' is not at odds with using public APIs like open banking. Most Apple applications already use external APIs, and open banking is no different in that respect,” Amir said.

“If Apple is indeed going to move into the world of open banking, they will have to modify their security model to accommodate it,” McAlum said. “Even if they limit the third parties they work with, flexibility will be important to make the relationships work. Financial privacy and the security of consumers' finances are the main concerns for anyone involved in the open banking environment.”

European security standards raise bar for digital financial services

Entering the open API banking world also means engaging in a more global environment of digital financial services, which also may cause financial firms to look at their security and compliance stance.

McAlum said: “We can see how Europe is raising the security bar through increased regulation and expect a similar approach in the United States.”

For example, McAlum said in the United Kingdom, financial regulators and government bodies created standards that all third-party providers, including financial technology firms, must follow if they want to be a part of the open-banking environment.

Also in the U.K., accessing open-banking APIs is only possible for the applications if they go through an independent audit and prove that their systems and security controls are up to the Financial Conduct Authority's standards. They must do that regularly after the initial audit to retain authorization.

Also, open-banking regulations, such as the European PSD2, and local and regional protection laws such as GDPR, “create equal rules for everyone and enforce a high level of security [so] API security will be the centerpiece of the open banking security model and Apple will undoubtedly have to adapt to some degree,” McAlum added.

Not surprisingly, when it comes to open banking, online retail Goliath Amazon has its own play, too.

“In a sense, Amazon is building a bank for itself by taking core components of modern banking (deposits, credit cards, loans, insurance) and tweaking them to suit Amazon merchants and customers,” according to a 2021 report from CB Insights.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.