Open Banking: What It Is, What It Risks, And How To Protect Your Data
A newer topic that has been circling around the internet recently is the idea of “open banking.” You might be wondering what this is from a technology standpoint, how it will likely be done, and what are some of the privacy and security concerns you should be concerned about from both a company and a customer standpoint.
Let’s start by defining what open banking is. In short, open banking is the practice of allowing banks and third-party financial service providers—for instance, budgeting apps and cash flow management tools for businesses—secure access to your banking and other financial. In more granular terms, open banking involves third-party developers having access to open APIs to build applications and services around a financial institution. Doing so requires greater financial transparency options for account holders, ranging from open data to private data. Open source technology is used to achieve all of the above.
Why Open Banking?
Open banking has the capability to improve the availability of financial services, such as allowing a customer to more easily share financial information with a mortgage lender or connect a bank account to a third party so it can make payments from your bank account on your behalf.
But while open banking promotes significant ease for customers, it is not without its risks.
Your financial data is at the mercy of these third parties when it comes to handling. With open banking, your bank, investment, or other financial app will be able to openly share your data with any “financial services” company they wish. While there are regulations to follow such as GDPR, CCPA, SOX, GLBA, and PCI DSS, many organizations already struggle to meet all of these requirements even in the current more secured and restricted environments. How will they continue to meet them once their third-party vendors or third-party sharing list expands rapidly with open banking?
What Are The Risks?
Let’s dive into what some of the risk of this more open sharing could be. First off, because financial services organizations tend to run on older platforms, often patching is delayed and any existing APIs are weak. What some financial services companies then choose to do is employ cloud services (i.e. Microsoft® Azure, Amazon Web Service, Google) to run some of their services while customer data is pushed to a vendor cloud where the majority of the open banking and third-party sharing will occur. Just in this transfer alone from the traditional on-premises system to the vendor cloud, how can the financial organization ensure that outside parties only take the data that is absolutely necessary and not any restricted or sensitive data that should never be shared?
Secondly, once the data makes it to their vendor cloud, the financial organization has effectively released control. Thus, how do they ensure only the right accredited individuals have access? How is that going to be monitored and controlled? Do they know which vendor API or IP address belongs to which individual user?
Now let’s think about that same financial service receiving data from a third party. In your own banking experience, do you know which vendors or third parties your bank/service will grab information from? Will that third party have incorrect information about you? Will that data reveal something that could impact your existing service? How will this data be used, and why is it being shared? All of these questions need answering. As a matter of fact, regulations like GDPR and CCPA state that if a data subject or consumer should ask for their data, these types of details must be provided.
Which means the financial organizations need to have answers.
Preparing for Open Banking
While open banking has substantial merit, if organizations go unchecked, it could be detrimental to all parties involved.
That’s not to say that financial organizations should not pursue open banking. The benefits are plentiful. However, organizations that want to participate in open banking must ensure they are doing everything within their power to ensure a safe data environment. This is where the concept of “Privacy and security by design and default” comes into play.
For any and all business processes or IT processes, services, servers, or projects, organizations should be thinking about security and privacy first. Meaning, they should be thinking what security controls or solutions make sense for this process. Should this data be encrypted at rest and in transit? Should the organization apply strong access controls? Should there be ongoing data discovery to ensure the business fully understands the environment? Should data be masked? These are just some of the questions that Legal, Privacy, Security, and IT teams should all be asking.
Protect Data Access with PK Protect
Actively understanding where data is at all times and accurately protecting data for its use case are excellent starting points to preparing for open banking. PK Discovery is purpose-built to find sensitive and private data across the enterprise, from large data repositories to endpoints, in structured, unstructured, and semi-structured formats. Which means you can have instant and ongoing awareness about any data in the cloud that you don’t want third parties to be able to access. And once you find it, it’s easy to apply the right protection based on organizational policies, be it encryption, redaction, or masking with PK Protect Data Encryption and PK Protect Data Masking.
All of these solutions are part of PKWARE’s data discovery and protection suite, PK Protect. With the help of PK Protect solutions, organizations can ensure they never lose sight of what data they have where, and can be confident in their ability to adequately protect that data no matter where or in what type of system the data sits.
Let PK Protect keep your data safe while maintaining accessibility for open banking. Find out how by requesting your free personalized demo now.