Travis Spencer, CEO of Curity
Open banking has revolutionized financial services forever and this is thanks to the integration of third-party financial institutions. This proposes a wealth of new opportunities to businesses and customers alike. Transparency and innovation – two words not traditionally associated with banking – are now at the forefront of the industry. Europe’s onboarding of PDS2 regulations, the UK’s OBIE, and more recently Brazil’s efforts, represent a global change in traditional banking attitudes. The tides have now turned towards progress, paving the way for different technologies to enhance financial processes. APIs are a great example of this, and are at the heart of the open banking movement. They have enabled an environment where “platformification” is happening all around us, and it is happening now.
Naturally, the prospect of moving financial data around is always something to do with care. The consequences of this information falling into the wrong hands have the potential to be disastrous for consumers, businesses and banks. That’s why financial-grade API security is paramount when it comes to the exchange of data and financial information between institutions and third parties such as fintech vendors and other partners.
With security being of such importance, there are a raft of measures that financial services companies should adopt to set themselves up safely for success.
Authentication First
In a highly regulated system, it is important to have strong confidence in the users’ identity. This requires a Strong Customer Authentication (SCA) method, which usually translates to a high Level Of Assurance. This is achieved in part by using multi-factor authentication. Equally essential, users must prove their identity as part of the registration process and authentication process. To achieve this, the regulators require standards-based proven methods that ultimately result in a token (i.e., a ticket or memento) that is cryptographically bound to the bank and codifies the identity of the user, their authentication method, and the bank’s assurance level that the user represented by that token really is who they claim to be.
Always ask for consent
Authentication is important, but, alone, it isn’t enough. Open Finance regulations are clear that users must consent to a business accessing certain data or performing an action such as creating a transaction. But it must also be possible for users to manage and even revoke their consent through an easy-to-use user management service(https://curity.io/product/).
Protect data at all costs
Protecting users’ data can be a challenging task, but it’s a critical one. It takes a long time to build up trust – particularly when finances are involved – and it can be slashed in seconds if users lose confidence in a business’s ability to look after their users. As well as costing customers time, money and frustration, this can ruin a business’s reputation.Consequently, the safety of user data must be prioritised.
A combination of different techniques, frameworks and processes can be introduced to mitigate the risk of fraud, leaking or manipulating data and violating privacy. This is an opportunity to ensure standards are implemented across the board. Standards and directives such as PSD2 are designed to protect user data, as well as securing bank services. Businesses need to ensure they are investing in the right technology to adhere to these standards. By choosing solutions that automatically implement these specifications, businesses can reap the benefits of a secure customer database and improved customer relationships which they are exposing via APIs.
Skills are a priority
In order to do this, businesses must also invest in their teams. It’s not enough to simply put protocols in place. Design and execution requires a specific set of skills which, unfortunately, are high in demand and low in supply. Recent research commissioned by the Department for Culture, Media and Sport found that half of UK businesses (approx. 680,000) have a basic skills gap, lacking staff with the technical, incident response and governance skills needed to manage their cyber security. Meanwhile, a third (approx. 449,000) are missing more advanced skills, such as penetration testing, forensic analysis and security architecture.
Despite being essential – even more so as services are increasingly digitalised, cyber security skills are often poorly understood and undervalued by both management boards and within IT teams. This can lead to a lack of investment in training, mishiring, and poor retention of staff in security roles. This only exacerbates the challenge of building a team that possesses the requisite skills.
Hiring can be hard when there’s a shortage of skills, so businesses need to be creative. This means considering new recruitment avenues and, importantly, breaking free from the traditional model of what cyber security professionals look like. Curiosity is key, so, for more junior roles especially, attitude should be a key qualification. Businesses should trust that many skills can be acquired on the job if the candidate has the essential fundamental knowledge and drive. To aid in this, employers should provide training and mentorship.
We are seeing a dramatic shift in the financial services sector; something that has not been seen for a very long time. It is an exciting time to be in banking and to be involved in major changes to the sector. There are many opportunities to come with this, but also unforeseen challenges as well. This is the same in cyber security, with prior measures no longer sufficient to guarantee the security of user data. This future requires a financial grade security architecture, implementation of valid user authentication protocols, and the developer competence to maintain such a system. The skills gap in security needs addressing for this future to become a reality. A joint effort is required – a solid, functional team paired with a secure product, and no less.
