Open Banking Fraud

The revised Payment Services Directive, or PSD2, was enacted in 2015 to update and modernize the rules for payment services providers in the European Union.

Among its mandates was the requirement for open banking, which grants consumers greater control over their financial data and compels banks to make that data accessible to third-party financial services providers via open-source technologies such as APIs.

The adoption of open banking standards (and enforcement of the PSD2) has been rolling out across the EU and the UK over the past few years. Open banking isn’t yet required by law or regulation in the United States, but based on the conveniences and benefits afforded by fintech products that comply with open banking requirements, calls are growing for banks to willingly embrace the open banking standard.

The problem is that while the PSD2 regulations do intend for bank communications involving customer data to be properly secured, there is little they can do or say about the evolving fraud threats that are developing in response to this disruptive new standard.

Merchants who accept payments via open banking technologies, and especially fintech providers themselves, should always be aware of the current state of open banking fraud.

What are the Uses and Benefits of Open Banking?

Open banking is taking off because it really does have a lot of good things to offer the average consumer.

It gives them more choices and power when it comes to managing their financial accounts, allows for direct peer-to-peer payment schemes, and encourages greater innovation, interoperability, and competition among fintech developers.

Aside from having a wider variety of apps and tools for managing their finances, open banking also makes it easier for consumers to shop for, compare, and ultimately find more favorable rates on things like home loans.

What is Open Banking Fraud?

The downside of open banking is that before it came along, banks could insist on restricting the outflow of customer data and were therefore fully empowered to protect it.

With open banking initiatives in place, banks cannot provide any protections for customer data that has been accessed by third-party providers. In effect, open banking creates multiple points of exposure for customer data—one for every third-party service provider, tool, or app that they use. What’s more, each of these points contains a single key vulnerability: the API connection.

It’s fair to assume that a big bank can put more resources into data security than a fintech startup can. Under open banking, the number of possible locations for a data breach increases, and not all of them will be equally secure.

Fraudsters could assess the relative defenses of various interconnected targets and find a weak link in the chain to attack. Worse yet, fraudsters could set up a front business and pose as a fintech provider for the purpose of stealing financial data from their “clients.”

One of the more popular byproducts of open banking are financial management apps, which allow users to review and connect all of their financial accounts in one place. When fraudsters can hack into these apps, they too get to see the big picture of their victim’s finances, which may point them to other high-value targets to attack.

The proliferation of new fintech apps and providers also makes consumers more susceptible to phishing attacks.

Consumers may be familiar with how and when their bank communicates with them and makes them authenticate their identity, but they may have no such precedent or expectation for their third-party service providers who request sensitive login or banking information.

This means that novel or timely phishing attacks may be treated with less suspicion, even by consumers who are familiar with such attacks.

Finally, another net result of open banking is an increase in the overall volume of financial transactions, which always gives cover to fraudsters. To keep pace with the increasing volume, merchants, processors, and banks are all under pressure to ease up on monitoring and filtering for fraudulent transactions.

What Can Be Done to Prevent Open Banking Fraud?

Banks and third-party fintech providers are in the best position to detect and prevent open banking fraud, and ideally they will work in collaboration to devise stronger technological protections and safer best practices for their shared industry.

Merchants who have some involvement with open banking should be aware of the ways in which it can be made more secure. It’s important to keep in mind that two-factor authentication alone is not a guarantee against online banking fraud; sophisticated fraudsters are likely to use a SIM swap attack when they’re going after a specific target’s accounts.

If you’re storing customers’ financial data, it’s better to use multi-factor authentication that uses some other method of identity verification, such as biometrics or a blockchain-based solution, in addition to SMS verification.

All of these methods don’t necessarily need to come into play every time—security tools that use risk scoring to assess fraud danger can be used to minimize the friction for low-risk users.

Conclusion

Whenever people find an exciting new way to exchange money or data, the fraudsters will be there, looking for ways to take advantage. There is so much potential for good things to come from open banking, and that’s why it’s so important for strong protections to be built into place as early as possible.

Right now, open banking fraud is more of a problem for banks and fintech providers. This type of fraud does not directly impact merchants dealing with credit card chargebacks, except insofar as the increased data exposure gives fraudsters more resources for impersonating identities and getting away with credit card fraud.

Nevertheless, any merchant who might be affected by open banking fraud needs to factor it into their overall defensive strategy.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com.