A quasi-governmental entity in the United Kingdom is rolling out a new tool designed to boost fraud protections among open banking partners, offering an interesting lesson in risk management amid digital transformation.
The Open Banking Implementation Entity – a non-profit created by British authorities and overseen by nine of the largest UK banks – was set up in 2016 to standardize and share customer banking information with a wider range of financial institutions, in part through an application programming interface that allows third party financial providers to access the data with permission.
Mirroring electronic health care efforts in the U.S., open banking seeks to give consumers and small businesses ownership over their own data and the ability to share it with other parties. This could, in theory, lead to better deals on loans and other financial products.
While advocates believe this will be a net positive for consumers, there is also concern that opening up such data to hundreds of new organizations could result in higher rates of fraud, like identity theft, if they ended up in the wrong hands. Indeed, the evolution of security efforts in the U.K. tied to open banking provide an interesting case study for any public or private entity seeking to balance digital enablement with data security.
Fraud analytics firm FCase has highlighted several areas where more widespread adoption of open banking might contribute to the fraud landscape, citing the sheer volume of data being shared among different parties, the inability of traditional fraud programs to parse through that data and heightened confusion around who is ultimately liable (the bank, third party provider or customer) when poorly secured data is accessed and abused by fraudsters. There is also a concern that the compromise of certain apps could provide cybercriminals with “an enterprise-wide view of all accounts across a customer’s portfolio.”
“With consumers adopting digital banking as a more convenient way to manage finances, cybercriminals are seeing this as a perfect opportunity to engage in criminal activities to hide illicit transactions within the enormous transaction volumes occurring globally every day,” the firm wrote in a report last year. “Banking legacy fraud detection systems will not be enough to effectively manage fraud risks in this new environment.”
While the introduction of open banking in the U.K. has yet to lead to new kinds of fraud, the potential for both traditional and novel forms of fraud around online payments or mobile payments “are very much at the forefront of our mind,” said Bronwyn Boyle, head of security and counter fraud at OBIE, told SC Media.
Those concerns led the OBIE Security and Fraud Working Group to partner with other organizations like Accenture, Cifas, the University of Portsmouth Centre for Counter Fraud Studies and the Cabinet Office Fraud, Error and Debt team to devise a new online tool that allows those organizations to probe their own fraud controls.
According to OBIE, the Counter-Fraud Self-Assessment tool is designed to give firms a “visual snapshot” of their fraud controls, identify areas of potential risk and generate updated results as it tracks the evolution of the program over time. It allows authorized third parties to access a secure online portal where they are queried with a number of questions about their fraud governance, oversight, detection and prevention practices, offering a holistic view of the program’s maturity over time.
The genesis came from research the security and fraud working group did in 2019. While they found there was no shortage of certification schemes and guidance around different security controls, there was little in the way of best practices for counter-fraud. Boyle said the security team is hoping to incorporate new metrics into the tool over time and have had discussions about potentially expanding opening up other kinds of financial data to consumers in the future. There are currently approximately 300 live services being offered to just under 3 million users through the initiative.
“The key for us really is that we can build a kind of consolidated view of what’s good practices to defend against these broad types [of fraud] across the ecosystem, even for new entrants who may be less familiar with some of those fraud concepts,” Boyle said.
