Open banking is a relatively new scheme to drive more innovation in the financial sector. Under this scheme, banks can share customer account information with third parties, provided they have the customer’s consent. Third parties can be given access to:
- Accounts and balances
- Transaction history
- Standing orders
- Payment initiation
Open banking has tremendous potential, however, when harnessing it for your own business, it places a huge pressure on the security of your systems. You might think that very few people will hand over the keys to their bank account, but many customers simply accept terms and conditions and cookies whenever they pop up, without properly examining what they are handing over.
This means that third parties will often find themselves with a similar level of access to a customer’s financial information as banks. That will allow them to create new, more personalised financial services and marketing, but it also gives the third party much more responsibility to take care of that data.
Why Use Open Banking?
Open banking, initiated with the Payment Services Directive 2, aims to forge innovative collaborations between businesses and banks. Customers can share their banking information through an Application Programming Interface (API), enabling businesses to access account details, standing orders, and beneficiaries.
Businesses can use this information for new products and targeted advertising, for example:
You spent £120 in Supermarket S this week. The average weekly shop in Supermarket L is just £75. Making the switch could save you £45 a week. That’s more than £2,000 a year.
This tool could be very valuable to businesses looking to attract customers who want to save money, or who struggle to budget. The possibilities are endless with open banking.
Within the legislation, businesses can also request access to payment initiation within a customer’s account. This allows the business to send money from that account.
How Secure Is Open Banking For Customers?
The possibility of third parties accessing payment information and even making payments can be a worrying prospect for customers. These privileges are normally reserved for banks, who must have very sturdy cybersecurity. However, as third-party businesses gain similar access, it becomes imperative for them to elevate their cybersecurity standards to safeguard their customers effectively.
The fact that third parties can request access to a customer’s payment initiation is particularly attractive for would-be cyber attackers, who will see a business implementing open banking as a ripe target for an attack, as the rewards for them could be huge. However, with strong defences, you can still get the benefits of open banking while protecting yourself from the increased cyber threat that it brings.
Open banking is regulated so that only approved third parties can ask permission to access information. Every business looking to provide open banking must meet rules set by the Financial Conduct Authority, and then be approved by the Open Banking organisation. To navigate the evolving landscape securely, businesses must undergo penetration testing and comply with ISO27001.
The Crucial Role of Penetration Testing
Penetration testing finds weaknesses in your organisation’s cybersecurity by simulating a sophisticated cyber attack. Pen testing is important for any business, but it becomes much more important when you have access to banking information. Having that level of access makes you more of a target for bad actors looking to break in and steal those details.
Penetration testing should be used as a tool to give you a comprehensive overview of your systems and test how strong they are, not as a starting point for your cybersecurity journey. In other words, you should undergo pen testing when you are confident all the holes in your defences are plugged, not to find out where all the holes are. This way, you can take the (hopefully successful) results of your pen test, and use them to prove to the FCA, customers or clients that you take cybersecurity seriously and have the defences to prove it.
When you are looking for a penetration testing provider, you must make sure that they are CREST-accredited. This accreditation means they are a legitimate provider of pen tests that you can trust. OmniCyber Security, as a CREST-accredited provider, offers comprehensive penetration testing services delivered by world-class pen testers.
Another way into open banking for a potential hacker is through the Application Programming Interface (API) that connects the third party to the customer’s bank. In an open banking situation, the bank will provide the API for third parties to view. This interface must be rigorously tested to make sure no bad actors can hook into the API and start asking customers for permission to access their information through phishing. At OmniCyber Security we also offer expert API testing services to make sure your system is secure.
Businesses wishing to use open banking must be approved by the Open Banking organisation, and to get that approval, they should be penetration tested and comply with ISO27001. OmniCyber Security can provide you with all the support you need to make your service secure enough to enjoy the opportunities offered by open banking.
For tailored penetration testing services to unlock the potential of open banking, contact OmniCyber Security today. Our expert team is ready to guide your organisation toward a secure and successful open banking implementation.