OB Directory: Mitigating Open Banking Risk

Under the second EU Payment Services Directive (PSD2) and the UK’s Open Banking Regulation, banks are required to allow third parties with the appropriate payment services permissions to access their customer payment accounts and prevent access for organisations without these permissions.

If banks fail to properly authenticate these third parties, they risk authorising fraudulent transactions or unauthorised data sharing and subsequent claims under PSD2 or the General Data Protection Regulation (GDPR).

Increasing Open Banking adoption

Nowadays, Open Banking transactions are a reality and are becoming increasingly popular. The UK just marked the fourth anniversary of Open Banking implementation, reaching over 4.5 million regular users, 1 million new users every 6 months, around 27 million successful API calls per day, and over 26.6 million Open Banking payments. 

The UK tax authority (HMRC) recently made history by becoming the first tax authority in the world to integrate Open Banking into their systems. Since ‘pay by bank account’ was introduced to the four biggest tax regimes, more than £1 billion has already been paid using this payment method.

Scope for fraud is creeping in

With more and more consumers using Open Banking as a payment method, not only the volume of transactions will continue to grow, but also the value of transactions is likely to increase because of changes to faster payments limit to 1 million GBP. This leaves room for new ways of fraud, with fraudsters seeing this as the perfect opportunity to engage in criminal activities. Fraudsters are likely to exploit new technologies or platforms like Open Banking. 

In Open Banking, fraud can happen when fraudsters attack banks, third party providers (TPPs) or customers. The recent rise of new Open Banking fintech solutions adds additional risks to banks. It increases the chance that some providers that may have lost the authorisation are still accessing banks’ data and potentially are using it for illegal purposes. Therefore, in order to reduce this risk, banks should regularly check the authorisation statuses and passporting rights of the fintechs that are trying to connect.

So, how can banks prevent these risks?

Banks do mitigate fraud to a certain extent by making sure that they only engage with authorised TPPs with correct passporting rights.

In order to achieve regulatory compliance banks must put in place technical frameworks to allow for secure access to authorised third parties. Although Open banking is leveraged [mostly] on existing technology, banks are forced to open up the fortress they have all been building for the past years to tackle cyber security risks.

As Open Banking grows, banks become more exposed to potential risks and have to put in place monitoring mechanisms and strategies to detect and stop fraudulent activity.

Currently, in compliance with PSD2 and Open Banking, banks and TPPs rely on qualified certificates (eIDAS/OBIE certificates) to provide access-to-account services. These certificates are used to identify TPPs but relying on this check alone has proved challenging as there are a few shortcomings with the model:

• The eIDAS/OBIE certificate is accurate at the time of issuance only;
• In case the NCA withdraws the TPP licence, there is no automatic revocation process with the qualified trust service provider (QTSP);
• No passporting information is present on the Certificate.

This means that a TPP may lose its passporting right to operate in one country but as its certificate is still valid, the TPP can still access customers’ data based on the certificate checking alone.

 Therefore, with the shift from Open Banking to Open Finance, with the number and volume of transactions taking off and more data being accessible to third parties, financial institutions should be prepared to take action before their reputation is at risk.

How can Banfico help?

At Banfico, we believe that essential data services should be accessible and affordable, as are all risk mitigation services that support Open Banking. That is why we took on the challenge to build our own infrastructure to support market participants on the regulatory and compliance checks. 

Banfico’s OB Directory provides a single and compliant source of standardised information about active Regulated Entities that can perform Access to Account (XS2A) services in Europe and the UK. It connects to all NCA registers and the European Banking Authority (EBA). Our cost-effective cloud-based solution is highly available, with updates sourced from the registers every 2 hours. 

With the OB Directory, banks have all regulatory information to make informed decisions, robust fraud prevention and detection solutions to complement their risk mitigation strategy.

To find out more about the OB Directory, visit the Banfico website or contact us directly to request a demo and learn more about our solutions.