How Secure is Open Banking, Really?
Open banking as we know it today has only been around since the mid 2010s, and although it has become the norm in Europe because of legislation like the General Data Protection Regulation (GDPR) passed in 2016, it’s taken a little bit longer to catch on in the United States. Open banking is built around the idea of opening banking data to third party entities. Instead of banks being closed, self-contained systems, open banking makes financial data readily available to other parties who have been given permission to access it. In this blog post, which is part 3 of a blog mini-series discussing data security (you can access part 1 here and part 2 here), we’ll be exploring the question, is open banking actually a secure way to access and port financial data?
A Common Example First: Single Sign-On
Before we jump into the specifics of open banking security, let’s consider an easier concept: single sign-on (or SSO). SSO is a way to authenticate users across connected yet independent software systems. Instead of having to create a new login for every single website or app that requires one, SSO allows a user to login to an external program using, for example, their Google-verified credentials (or Facebook, or Twitter, etc.). It isn’t necessary for the user to re-enter their login information, however. The original authentication information is automatically shared with the external app or site as soon as the user gives permission for it to be shared. The user’s credentials somewhere else allow access to an unrelated app or website. When a user chooses this route rather than creating a new independent login, they are giving permission for the two systems to share information with each other.
Pros and Cons of SSO
Anyone who has used it can see: SSO is beneficial, primarily because it makes it easier for users to access new applications. They don’t have to make a new username and password for every app they use. Considering the average person has over 80 apps on their devices and counting, many of which require some kind of sign-in, this can be extremely helpful.
Despite its benefits, however, SSO can be risky, namely around keeping a user’s login information secure. As we’ve stated before in previous articles, the more places data of any kind is stored or shared, the more possibility there is for it to be accessed by people who shouldn’t be accessing it. Not all apps are created equally – they don’t all follow the same security protocols or processes, so some may be more vulnerable to a data breach. And if someone does infiltrate a person’s login data, that person now has access to as many apps/systems that the user uses the SSO for.
Comparing Open Banking to SSO
SSO should follow a protocol known as OAuth in order for protected data to be accessed from another source (although sometimes it follows other protocols). In SSO, OAuth looks something like this:
- An app or website that a user wants to access sends a token that contains some information about the user to the Identity Provider (like Google, Facebook, etc.) the user has selected
- The Identity Provider matches the information on the token with their user data and then sends a token back to the requesting app or website, verifying that user without sharing the user’s actual password
- Once the initial app or website receives the token, the user is granted access
Open banking also uses OAuth protocol and follows a similar flow, although another player is now involved – a portability platform that regulates the sharing of financial data between two unrelated systems. In open banking, OAuth looks like this:
- An app sends a token with info connected to a specific user to their portability platform
- The portability platform passes that token to the user’s bank or financial institution
- The bank then verifies the information about that user and sends the token back to the portability platform
- The portability platform sends the token back to the initial requesting app, establishing an ongoing pathway between the app and the bank for the user’s financial data to travel
For open banking, banks prefer to work directly with portability platforms rather than establishing OAuth with every single application requesting financial data. So portability platforms are like a middle man between apps and banks because they establish and maintain the relationship between them.
Pros and Cons of Open Banking
Open banking is a relatively new concept that’s still gaining traction in North America and understandably has some shortcomings. For example, there’s always some degree of risk whenever data is shared, even if it’s through a well-thought protocol like OAuth. Second, open banking legislation is still under development and therefore isn’t implemented the same way in all countries (it’s different in the EU vs the U.S., for example) or isn’t present at all in some areas (open banking isn’t yet in Latin America). Additionally, right now only large, modern banks are able to support open banking processes. Lastly, the user experience of open banking can be somewhat clumsy and complicated – the user goes from one app’s screen to another, then to the bank’s, and then back to the first, assuming everything worked the way it was supposed to.
Despite these shortcomings, however, we believe the advantages of open banking far outweigh the disadvantages. Here are four significant ways open banking can benefit businesses, consumers, and banks:
1. It Costs Less
Open banking omits the fees associated with traditional payment networks or cards, so apps and users end up paying less.
2. It Cultivates More Engagement
With access to specific financial data, apps can personalize their services. Users are more motivated to engage with services from apps and banks when they know that the services or products are tailored to them and their needs.
3. It’s More Secure
Everyone involved in the open banking process – apps, portability players, and banks – is legally required to follow the highest security protocols that currently exist. Open banking APIs are the most secure way to share data to date.
4. It Implements Innovative Solutions
When fintechs have access to personal financial data, they can develop creative solutions to problems that are unique, streamlined, and convenient for all people.
So How Secure is Open Banking?
Open Banking was developed with users in mind, giving them control over sharing their personal information. It’s always a user’s decision as to who they will share their information with and when, and they can opt out of that sharing relationship any time they want to. Additionally, open banking was built according to rigorous security protocols, so users really can trust that it will keep their information private and secure. All parties involved in open banking have to follow a specific set of rules and standards in order to keep their users’ information as safe as possible. And those rules are continually regulated and updated whenever necessary. In open banking, users aren’t ever asked to share their banking credentials/login with anyone except the bank or financial institution they’re already using. Open banking uses APIs to transfer data from the bank to third party apps, not *screen scraping, and only portability platforms that have passed the highest tests of security are allowed to conduct open banking.
Open Banking Peace of Mind with Pentadata
Pentadata is a portability platform for open banking, meaning our APIs regulate the sharing of data between financial institutions and apps. Because of our commitment to following the best security practices possible, we’ve been approved to work with all major North American banks. We have a reputation for not only being extremely trustworthy but also having the widest coverage of financial institutions on the continent.
Are you ready to try out open banking with Pentadata? By creating a developer account right now, you can instantly see how our APIs work and how they can make a difference for your app.