Security Is Biggest Open Banking Concern in US
August 25, 2021
By: Kate Drew
Security is the top concern about open banking among US bank executives, according to CCG Catalyst’s 2021 US Banking Study. A whopping 61% of respondents selected security across a range of concerns, making it the top option by a wide margin; budget came in second at just 16%. This data is perhaps not all that surprising — the concept of open banking centers on the ability to share data, and generally customer data, with third parties. For a bank, that can feel very scary. And these concerns are not unfounded: Application programming interfaces (APIs), the mechanisms through which open banking is typically delivered, can be vulnerable to hackers if not properly designed and maintained. However, with the right approach, putting in place an API strategy to support open banking could actually increase security.
Customers today are using third-party fintech apps in droves, and they are generally going through data aggregators to connect these apps to their bank data — one in four consumers with a US bank account has connected to an app via data-sharing specialist Plaid, for example. These data aggregators, which consumers may not even realize they are using, often pull down the data fintech apps need through a process called screen-scrapping. Essentially, they create a screen that mirrors a bank login, and then collect a user’s credentials and log in on their behalf. Because this process requires a user to hand over their login credentials, it comes with major security concerns. Providing tokenized access to the bank via API is much more secure. In fact, a number of large institutions including Chase and Wells Fargo have inked direct agreements with Plaid to provide secure access to customer data, with consent, in part to eliminate screen-scrapping from their systems. In addition to security, these agreements allow for greater control; for example, Wells Fargo customers can turn data-sharing with Plaid-supported apps on and off from inside their banking app.
Although API access is more secure than screen-scraping, it has to be done right. That means leveraging best practices to avoid vulnerabilities. Most API management platforms today align to industry standards, including supporting different security schemes like API keys and basic authentication. But it’s important to understand the different options and ask the right questions. It’s also critical to choose the right partners; not only on the API management side, but also when it comes to who you’re providing data access to. Fintechs tend to understand the importance of security — it’s central to their adoption — and larger players like Plaid have extremely robust controls, but ongoing audits on all third-party partners to ensure they remain compliant with bank standards is generally good practice, as well.