In this blog I hope to open a forum for experts to share their thoughts and even expertise through guest posts. I am a journalist by trade so can only really scratch the surface of some of the issues in the fintech sector, so I need to hear from you on various subjects.
Here is a guest blog post from Wayne Blacklock, senior solution architect at identity and access management software firm ForgeRock, talking about the considerations that finance firms should make before doing Open Banking.
Open Banking is here
By Wayne Blacklock
“Several challenger banks have already implemented API driven banking, the biggest banks in the UK have or will soon have gone live with their Open Banking APIs and the rest of Europe is following with PSD2. It is relatively early days, however the early signs are that this really is the beginning of a revolution in how we as consumers interact with our banks and take ownership of our financial data. However, Open Banking is not without its challenges.
Open Banking is a great example of how regulations can encourage and enable the growth of the data sharing economy. Strong trust and consent practices, both in banking and other industries, will be increasingly vital as the digital economy continues to develop.”
If your organisation is keen to join the Open Banking revolution, here are five things you should consider:
1 – Consent
Financial data should only be shared if and only if the customer has clearly consented to it. OAuth 2.0 is an open security standard for implementing delegated access and is a widely accepted solution to this problem. With OAuth, third parties who want to access data must send the customer to the bank first who will strongly authenticate them and request their consent before issuing an access token to the third party that will allow them to access. Customers also need to be able to revoke that consent at any time. Organisations are now grappling with how to properly leverage OAuth to solve these problems.
2 – APIs & Security
Most organisations did not have Open Banking in mind when they designed their APIs and security platforms. They now need to find secure ways to expose their APIs, many of which are likely running on top of legacy platforms. They need to both enable these APIs as OAuth resource servers and deploy OAuth compatible authorisation servers and integrate these with their customer facing applications in order to enforce the consent we discussed previously.
3 – Strong Customer Authentication
PSD2 mandates that financial institutions must enforce Strong Customer Authentication (SCA) when customers perform certain actions and this includes Open Banking. Typically when considering authentication mechanisms we consider three factors: knowledge (something you know), possession (something you have) and inherence (something you are). To achieve SCA at least two of these three factors need to be examined during an authentication event. Organisations must examine their authentication procedures and in many cases re-engineer these to comply with PSD2.
4 – Trust & Governance
Institutions need a means by which to determine that a third party is fit and proper to access customer data. In the UK the Open Banking directory, managed by the FCA, delivers this assurance however at this time across the rest of the world no such facility exists. Organisations outside of the UK must therefore implement their own third party governance processes and means to enforce them.
5 – Enabling Developers
Many of the organisations now grappling with Open Banking have never really had to think about the developer experience before. Designing, publishing & documenting a set of APIs and making them as easy to use as possible is not a simple problem and it really requires a whole different way of thinking. PSD2 also mandates that organisations make available a development sandbox that allows third parties to test their integrations in advance.