Achieving robust cyber-security in a connected banking environment
The need for a new approach
Our report Open Banking – How to flourish in an uncertain future examines how the remedies prescribed by the European Commission’s revised Payment Services Directive (PSD2) and Competition and Markets Authority’s mandate of an Open Banking Standard are likely to be the catalyst of a transformation in retail banking.
As access to retail customer banking data is opened up to third parties, Open Banking is expected to drive innovation, levelling the playing field between incumbents and new entrants. This is likely to lead to new business models fuelled by collaboration and integration, which is of particular interest from a cyber-risk perspective.
Our view is that Open Banking will, in the longer term, herald the introduction of ‘marketplace banking’, in which consumers can manage, access and acquire products from a number of different financial services providers via one interface.
However, it is not yet apparent how much time and industry coordination will be required in order to deliver a resilient, application programming interface (API)-enabled ecosystem, which can be consistently relied upon to deliver consumer cyber confidence.
We believe that the successful implementation of the Open Banking remedies requires a transformational cyber-risk approach in the context of bank legacy systems.
More connectivity, greater exposure to risk?
In principle, the innovative Open Banking services that are expected to emerge from this data-driven transformation could reduce overall technology risks to the banking system by distributing them more broadly.
However, partially dissolving the traditional secure perimeter of retail banks and connecting innovative FinTech solutions to heritage infrastructures may inadvertently increase the opportunities for cyber-attacks.
For instance, sharing personal account information between greater numbers of payment service providers increases the number of possible attack points for cyber criminals looking to steal customer data.
In a flexible, hyper-connected operating model, a cyber incident has the potential to create a cascade effect across multiple providers. Such an event would likely lead to providers incurring consequential loss and reputational damage and lowered consumer confidence in Open Banking products overall.
There are challenges for both new entrants and incumbents in managing cyber-risk in a transformed banking landscape. New entrants into the payments market are less likely to have been exposed to managing the typical risks inherent in such a business. Conversely, incumbent retail banks have robust defences against information security attacks, but may struggle to incorporate significant business model changes into their legacy systems.
Mitigating cyber risks
Successful players in the ecosystem will ensure that they comply transparently with data privacy and data protection regulations, including the General Data Protection Regulation (GDPR), as they share customer transaction data with third parties. Contemporary privacy practices, in addition to the Open Banking Implementation Entity’s Consent Model Guidelines1, can be reasonably expected to apply to all client and payment data, helping to minimise the amount of personally identifiable information (PII) distributed across the ecosystem and reducing the risks of data leakage.
For such organisations, maintaining a user-friendly experience from a (mobile) personal platform, through a secure messaging layer to a personalised banking or payments service, will require co-operation between all involved parties. Competing brands will now be encouraged to collaborate in a mutual trust model for the benefit of their shared consumers.
Secure software development practices and robust DevOps2 processes will be essential to delivering successful services at the pace of an innovation-led, consumer-focused business. Increasing levels of customer expectations, and, therefore, higher churn where these are not met, will force incumbents to adapt their business models, regardless of the constraints posed by legacy systems and structures.
Most importantly, however, the commitment to Open Banking warrants a review of traditional security postures and increased collaboration between all parties in the ecosystem. This will be essential if incumbents and new entrants alike wish to maintain consumer cyber-confidence while, at the same time, delivering a reliable, personalised offering.
1 Consent Model Guidelines, Open Banking Implementation Entity, October 2017. See also: https://www.openbanking.org.uk/wpcore/wp-content/uploads/2017/10/Consent-Model-Guidelines-Part-1-Implementation.pdf
2 DevOps is a software delivery approach, culture or practice that brings together development teams and other IT stakeholders together to achieve a common business goal of delivering work faster while maintaining excellence in quality. See also: https://www2.deloitte.com/content/dam/Deloitte/global/Documents/About-Deloitte/gx_about_deloitte-agile-devops-advisory-transformation-delivery_Deloitte-Enterprise-Agility-and-DevOps-Brochure.pdf