A cautionary tale of open banking
Many banks are concerned with the potential impact of partnering with a technology company, and the subsequent lack of control when integrating into open banking.
Traditional banks already face many risks, and the switch to open banking comes with an increased appeal to cyberattacks and fraud. Malicious actors can take advantage of the opportunity to find creative new ways to gain access to customer information, resulting in new risks from an operational, conduct and financial crime perspective.
While open banking presents risk to the bank, it also presents an opportunity to leverage more resources in fraud prevention.
Financial institutions can use digital partners and their digital networks to better identify and mitigate the threat of financial crimes, such as fraud or money laundering. Additionally, banks will be forced to respond to fraud more quickly and efficiently. The fraud prevention will have to be as smooth and seamless as the open banking process itself.
However, open banking poses unique risks to a bank’s operations, technology infrastructure, third-party partnerships and financial crimes. These risks will need to be successfully mitigated by all open banks. Open banking will also create new systemic risks that will require the entire industry to evolve.
Banks will have to transition from nightly batch processes using on-premise hardware to streaming data within a cloud environment. This will require a cybersecurity framework that balances safeguarding against hackers with speed, integration and innovation. The cybersecurity framework will also have to account for potential vulnerabilities in third-party partners, layered relationships and related platforms.
Banks that go “open” will need to ensure that their third-party partners and external developers maintain the trust of the customer. It also requires performing the appropriate due diligence, partner monitoring and institute controls through application programming interfaces, or APIs. This ensures that actions are only taken with the consent of the customer, that information is represented to customers accurately and that partners act in the best interest of the customer.
Banks have invested heavily into third-party risk management and open banking is an opportunity to see a return on that investment.
However, one way to mitigate third-party risk is to create and require the use of compliance APIs designed to ensure it meets the bank’s policies, procedures and applicable regulations.
Another critical point to keep in mind when transitioning to open banking is that it will require a platform approach to detecting and preventing financial crimes. This will cause banks to partner with best-in-class identity services and establish sound practices for information management across platform ecosystems.
Open banking and identity services are both still evolving to meet the needs of the new digital economy. These communities will need to connect at the hip to prevent fraud, avoid identity theft and to deter other financial crimes, like money laundering.
All banks will need to thread the needle between fraud protection, privacy laws, money-laundering regulations and enabling the digital customer. Ultimately, open banks will have a technology advantage over traditional banks by adapting quickly to better prevent fraud through successful API integration.
Yet, there are also systemic risks. Open banking could impact the entire financial services industry in ways that cannot be fully anticipated.
For example, how will banks and regulators perform asset-liability management in a world where bank-to-bank transfers settle instantaneously?
Fintech companies are diligently working to disintermediate bill pay from banks, while others are establishing virtual marketplaces to allow bots to instantaneously compare rates on behalf of customers among thousands of financial institutions.
It’s easy to imagine scenarios where pricing glitches within market platforms could cause these financial bots to rapidly move money out of institutions, ultimately causing a “flash crash” on an institution’s liquidity.
These liquidity events could have the same impact as a bank run, and will change the nature of core deposits as consumers become more and more digital.
Lastly, systemic dependencies on third-party enablers could attract bad actors. If bad actors infiltrate a third-party that’s common to many financial institutions, they could compromise multiple banks at once, causing a systemic security event.
Additionally, sophisticated bad actors infiltrating a complex network of banks could make it very difficult to readily identify data breaches across institutions, thereby making it even harder to perform the digital forensics needed to prevent further attacks.
While open banking has some clear advantages to consumers, it poses considerable risks to existing financial institutions. Transitioning to an open bank will require a paradigm shift in traditional banking culture and processes.
Banks will have to work harder to create efficient layers of protection through authentication and leverage the technical expertise of third-party partners.
Ultimately, banks will have to become more like tech companies by enabling easy integration while maintaining security. During the transition, banks will have to manage extensive internal changes, meet emerging consumer trends, manage emerging risks and navigate an ever-changing regulatory landscape.
Editor's note: This BankThink is the second in a four-part series on open banking, the potential risks and how to regulate it. The first examined the process to becoming an open bank.
The opinions expressed in this article are those of the authors, intended for informational purposes only, and should not be attributed to Regions Financial Corporation or any of its subsidiaries or affiliates, including Regions Bank. Any representation to the contrary is expressly disclaimed.