The UK banking sector has traditionally wielded so much power over consumers that they have not had to evolve or compete for customers. This status quo means that – at least according to the Competition and Markets Authority (CMA) – consumers are often paying more for banking services than they should and are unable to take advantage of new services, as challenger banks struggle to emerge. To help address this issue, the CMA defined several remedies, the most important of which is Open Banking.
Open Banking mandates that the UK’s nine largest banks must enable customers to share their data securely with other banks and third parties in order to accelerate digital change, enable new types of banking services and increase competitiveness across the entire sector.
>See also: Open banking: the quiet revolution
The EU’s amended payment services directive (PSD2) is similarly concerned with increasing digital competitiveness and consumer choice by forcing banks to share their customer data with Account Information Service Providers (AISPs) and enable online and mobile payments by Payment Initiation Service Providers (PISPs). PSD2 has significant overlap with Open Banking, and many believe PSD2 requirements can largely be achieved through the use of Open Banking.
In 2018 these regulations are due to come into force and will together herald a new era of digital financial services and entirely new ways of banking, which must be underpinned by the principle of customer consent to enforce who can access your information and what they are permitted to do with it.
A new era for digital services
For consumers, open banking and PSD2 will mean that moving banks will become almost seamless. Customers will be able to take their entire transaction history and data with them, putting a renewed emphasis on the quality of the banking experience for the customer. Payment providers will also face significant disruption as customers will be able to pay for online purchases directly with their bank account.
>See also: Rise of the collaborative open bank
Beyond those basics, however these changes will make a whole new set of digital services possible: banking aggregators that allow you to access multiple bank accounts in one place; your bank account as a loyalty card with automated retailer discounts calculated from your spending data; intelligent payment services that determine the best payment method to optimise your air miles; analysing spending patterns to monitor health of dependents and many more that will doubtless be conceived of by tomorrow’s entrepreneurs.
It’s all about data and consent
At the heart of open banking is the issue of user consent. For the first time, customers will control their banking data and be able to choose who gets to access it and what they can do with it.
Banks must ensure customer data is secure and must adhere to customer access instructions in a consent-driven way. Third-party service providers such as retailers and account aggregators must become identity enabled to partake of the benefits of this new world. The imminent arrival of the GDPR adds further challenges, for example you will also have to ensure that users can revoke their open banking consent at any time.
At ForgeRock, we have been working with Payments UK and the Open Banking implementation entity in the UK to define the technical standards for open banking. One of the most important challenges to solve has been that of consent. How can users consent to the sharing of their data and the execution of their payments? And how can this be implemented before the early 2018 deadline?
Though rarely officially supported by banks, many third parties currently make use of “screen scraping” techniques to access customer data; however this approach requires the customer to share their login credentials for the bank and effectively scrape the data from the page by simulating the user’s behaviour through the website. One aim of PSD2 is to prevent such approaches in favour of properly secured APIs.
A smart approach to access and authentication
What is needed to make this new open approach is a consent driven mechanism to invoke banking APIs securely. Fortunately this problem has already been solved by the OAuth 2.0 authorisation standard.
OAuth enables users to consent to an application acting on their behalf without sharing their credentials with the application. A typical example of this would be enabling one of the many third-party Google Drive-related applications to connect to your Drive account without that app needing to know your Google credentials.
OAuth is a potential solution for authorising access to specific account functions such as reading a statement or making a transaction. In fact the recently launched banks Monzo and Starling Bank are both using it today for exactly this purpose. However, OAuth was never designed to enable consent for dynamic items such as an online payment where values vary each time.
OpenID Connect (OIDC) builds on top of OAuth and enhances it. OIDC is typically used for federation authentication (e.g. Login with your Google Account) however OIDC is more than just an identity layer. Importantly for Open Banking, OIDC not only defines a variety of standardised security tuning features on top of OAuth, it also defines a mechanism for the sort of consent we need to implement dynamic payments.
The Open Banking Work Group has formally recommended the use of OIDC for implementing open banking in the UK. This means that anyone who wishes to enter the open banking ecosystem must be OIDC enabled, including banks, aggregators and any third party that wants to partake in the open banking ecosystem including retailers who want to process open banking payments.
With such unprecedented access to banking data and functionality being made possible for the first time security is of paramount importance. PSD2 defines a number of regulatory technical standards (RTS), of particular importance is strong customer authentication (SCA). The cost and responsibility for implementing SCA will fall upon the banks and third parties will rely on this as part of the OIDC flow when customers are redirected to their banks to authenticate.
In this context, the SCA and RTS covers elements such as two factor authentication comprised of two of the following: knowledge (something you know), possession (something you have) and inherence (something you are). The RTS also suggests that risk factors such as location, transaction history and spending patterns among others should be monitored and factored into authentication and authorisation decisions.
Positives, negatives and opportunities
Open Banking is a mere seven months away and it is going to radically alter the banking and fintech industries forever. Large banks will need to ensure they can comply with the regulation and provide the sort of banking experiences that customers will expect and that more dynamic and agile competitors will provide.
Meanwhile, smaller, challenger banks have an exciting opportunity to steal market share from the more established players by providing compelling new experiences. Beyond banking, if you are a retailer of any kind and you will need to be identity-enabled in order to allow your customers to pay with open banking.
Whatever your business, open banking promises to significantly shake up the banking and payments ecosystem as we know it. This will undoubtedly bring challenges for established organisations but it also offers a whole new world of opportunity for those who can adapt effectively to these changes.
Sourced by Wayne Blacklock, senior customer engineer, ForgeRock
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here