Under the second EU Payment Services Directive (PSD2) and the UK’s Open Banking Regulation, banks are required to allow third parties with the appropriate payment services permissions to access their customer payment accounts and prevent access for organisations without these permissions.
If banks fail to properly authenticate these third parties, they risk authorising fraudulent transactions or unauthorised data sharing and subsequent claims under PSD2 or the General Data Protection Regulation (GDPR).
Increasing Open Banking adoption
Nowadays, Open Banking transactions are a reality and are becoming increasingly popular. The UK just marked the , reaching over 4.5 million regular users, 1 million new users every 6 months, around 27 million successful API calls per day, and over 26.6 million Open Banking payments.
The UK tax authority (HMRC) recently made history by becoming the first tax authority in the world to integrate Open Banking into their systems. Since ‘pay by bank account’ was introduced to the four biggest tax regimes, .
Scope for fraud is creeping in
With more and more consumers using Open Banking as a payment method, not only the , but also the value of transactions is likely to increase because of changes to . This leaves room for new ways of fraud, with fraudsters seeing this as the perfect opportunity to engage in criminal activities. Fraudsters are likely to exploit new technologies or platforms like Open Banking.
In Open Banking, fraud can happen when fraudsters attack banks, third party providers (TPPs) or customers. The recent rise of new Open Banking fintech solutions adds additional risks to banks. It increases the chance that some providers that may have lost the authorisation are still accessing banks’ data and potentially are using it for illegal purposes. Therefore, in order to reduce this risk, banks should regularly check the authorisation statuses and passporting rights of the fintechs that are trying to connect.
So, how can banks prevent these risks?
Banks do mitigate fraud to a certain extent by making sure that they only engage with authorised TPPs with correct passporting rights.
In order to achieve regulatory compliance banks must put in place technical frameworks to allow for secure access to authorised third parties. Although Open banking is leveraged [mostly] on existing technology, banks are forced to open up the fortress they have all been building for the past years to tackle cyber security risks.
As Open Banking grows, banks become more exposed to potential risks and have to put in place monitoring mechanisms and strategies to detect and stop fraudulent activity.
Currently, in compliance with PSD2 and Open Banking, banks and TPPs rely on qualified certificates (eIDAS/OBIE certificates) to provide access-to-account services. These certificates are used to identify TPPs but relying on this check alone has proved challenging as there are a few shortcomings with the model:
- The eIDAS/OBIE certificate is accurate at the time of issuance only;
- In case the NCA withdraws the TPP licence, there is no automatic revocation process with the qualified trust service provider (QTSP);
- No passporting information is present on the Certificate.
This means that a TPP may lose its passporting right to operate in one country but as its certificate is still valid, the TPP can still access customers’ data based on the certificate checking alone.
Therefore, with the shift from Open Banking to Open Finance, with the number and volume of transactions taking off and more data being accessible to third parties, financial institutions should be prepared to take action before their reputation is at risk.
How can Banfico help?
At Banfico, we believe that essential data services should be accessible and affordable, as are all risk mitigation services that support Open Banking. That is why we took on the challenge to build our own infrastructure to support market participants on the regulatory and compliance checks.
Banfico’s OB Directory provides a single and compliant source of standardised information about active Regulated Entities that can perform Access to Account (XS2A) services in Europe and the UK. It connects to all NCA registers and the European Banking Authority (EBA). Our cost-effective cloud-based solution is highly available, with updates sourced from the registers every 2 hours.
With the OB Directory, banks have all regulatory information to make informed decisions, robust fraud prevention and detection solutions to complement their risk mitigation strategy.
Open Banking Solution provider
Banfico is a technical solutions provider founded in 2017. Our team is formed of experts with vast experience in financial services. We have successfully delivered open banking solutions in the UK, Europe, and Brazil, and we are expanding to other parts of the globe.