Open Banking is Not Yet in the United States. But Banks Better Start Planning for it Now


Open banking is currently mandated in the EU, via a European directive. The regulation behind open banking is the second Payment Services Directive (PSD2). Open banking is designed to permit consumers’ data to be used by third party providers and thereby increase the competition and quality of products in the banking, payments, and credit cards space. Other benefits include ways to save consumers money with better interest rates or cash incentives, as well as making it easier to switch accounts, or to permit consumers’ data to be used by third party providers for helpful tools such as creating a dashboard of all their financial accounts.

PSD2’s main goal is to increase commerce, create a consumer-friendly ecosystem, while ensuring that the consumers’ data remains secure in the process.

Open banking will allow third party providers (TPPs) to offer a wide variety of new services and potentially change the landscape of traditional retail banking, allowing new capabilities to be developed for consumers.

One specific mandate of open banking under PSD2 is that financial institutions must provide secure access to TPPs via a standards-based technology called open Application Programming Interfaces (APIs).

One continual question is will we see open banking come to the United States under similar regulations?

It is only matter of speculation at this point, but it seems thus far in the U.S. that the private sector will trend towards similar capabilities without a regulatory mandate. Open banking will improve innovation but also requires banks to open up their data to third parties. Open banking APIs are valuable to financial institutions, as they enable new sources of revenue, increased service offerings, and improved customer engagement. Open banking offers an interface for third-parties that can help consumers borrow, pay, save and manage their finances more easily.

For example, in the past, aggregators of consumer financial data used a cumbersome legacy process to access accounts, via non standardized approaches such as reusing customer credentials and “scraping” the data for their clients. Now a more unified approach using standardized APIs has been developed and is supported by the largest banks, FinTechs, and payments networks. The Financial Data Exchange, or FDX, “was established on the idea that consumers and businesses should have easier, more secure access to their financial data. Through our FDX API and technical frameworks, FDX is unifying the leading financial institutions, FinTechs and others around a common standard for data sharing across the entire financial industry.” This is an excellent example of the private sector leading the way to create a more open and standardized architecture for consumer access to data, without the necessity of a regulatory mandate.

Open banking concepts have increased the pressure on banks to create their own personal financial management tools and more competitive products and solutions, rather than let a third party enter into the marketplace.

Financial institutions need to embrace new technologies to keep up with open banking, such as artificial intelligence (AI) and machine learning. Financial institutions will need to mine the data they have to maintain customer loyalty and customer engagement by ensuring they offer competitive services and products. The need to analyze and aggregate data will become even more important, to create meaningful customer insights for better, more targeted, product offerings. The use of AI, or more specifically machine learning and deep learning, will increase the sophistication of data aggregation and analysis. Machine learning will allow financial institutions to keep up with the substantial amounts of data requests and transactions that move through open banking, and to make real-time decisions using that data.

Despite the benefits of open banking, there are certainly financial, risk and security impacts of opening such API gateways to third parties. Security risks are increased, particularly due to the sharing of data across financial service providers, which creates new opportunities for vulnerabilities. CISOs will need to protect the open APIs that provide third party access, identify that those accessing the open APIs are verified legitimate parties and prevent against cyberattacks that could create an outage on the open APIs.

Fraud defenses will also need to improve as there will be increased access to consumer data, and potentially less experienced TPPs handling that data. It is important to understand the risks that an open banking platform can present, as well as the growing importance of transparent, real-time authentication using machine intelligence in creating a secure, frictionless experience.

With the exponential increase in access to customers’ data than ever before, fraudsters will begin to exploit open banking access, making it imperative to utilize the latest approaches to mitigate risk and defend against attacks.

As fraudsters have begun using technology to create coordinated attacks, detection must be done at scale in realtime. True machine intelligence is necessary to detect new and fast-changing sophisticated attacks by viewing all accounts and associated events holistically, without the benefit of historical data, supervision or manual analysis.

Many legacy authentication methods will not prevent account takeover in this sophisticated open banking ecosystem with increasingly clever cyber-criminals. Exposure points and methods of being attacked will continue to grow.

Open banking and new ways to perform digital transactions are convenient, but also open up a wide range of opportunities for fraudsters. There are numerous digital risks, including ‘velocity attacks,’ in which fraudsters use the same device to perform many intrusions. These types of attacks used to be mitigated with device identification technology. Today, fraudsters use device-spoofing to circumvent velocity strategies and trick legacy detection systems into viewing a single device as hundreds of unique devices.

And in fact, login is not the only place where ATO attacks begin. Fraudsters also attempt account takeovers through phishing schemes or conducdt schemes using social engineering techniques.

Bots can be particularly challenging for enterprises that operate transactions over digital channels. Using a variety of techniques to identify and screen-out bots is a crucial factor in slowing and stopping them before they inflict costly damage, both in terms of expense and reputation.

Sophisticated bots require more complex detection techniques, such as analyzing device and geolocation information, watching for a high number of attempts and failures, reviewing unusual traffic patterns and unusual location or repeated attempts from the same location, and watching for unusual speed of access attempts. Sophisticated bots are created for speed of intrusion and to evade detection by continually changing attack patterns, therefore continual authentication and behavioral analysis using machine intelligence is critical to detect bot activity in real-time.

Any organization that allows open banking access, and is transmitting sensitive information and payments information, can benefit from a machine intelligence platform and by combining the right signals such as device intelligence, behavior analytics, session and user data to find anomalies in real time that a human could not detect, with no additional friction to the user.

By using a data-driven approach and conducting machine learning interrogation across both an individual session and the universe of authentication sessions and transactions, profiles of legitimate “personas” can be created based on user patterns, devices, transaction history, and behaviors. Machine learning based on context, a 360-degree view of customers and the objects and signals around those people, creates persona-based intelligence. Personas are used in determining what activity the true consumer would and would not perform, reducing friction, and detecting risk of account takeover.

With account takeover, it is important to be predictive but to also make inferences using machine intelligence. Predictive intelligence helps us know what a customer is going to do or not do (risk) next. But even more powerful is the importance of inference-based decisions. Where other solutions need to see an event many times to take action on it, true machine intelligence is able to make inference-based AI decisions and make a decision on the first event. This results in true account takeover prevention, versus detecting a fraud pattern after a series of successful fraud events which may be detected long after the fact.

Purely rules-based and supervised learning platforms are no longer enough to protect against account takeover and financial loss. Using historical patterns can predict some fraud but will not prevent new evolving patterns as they emerge for the first time. True machine intelligence can make inference-based decisions through activity related to a user’s account or groups of accounts, across channels, without generating false declines.

As the U.S. financial system trends towards open banking concepts, led by the private sector, there are many opportunities to create new, more secure consumer experiences. To take advantage of these opportunities, financial institutions and third party providers are going to need to embrace new innovative solutions such as AI and machine learning, both for new customer insights and fraud and risk detection.

By Michael Lynch, Chief Strategy and Product Officer, Deep Labs