The banking landscape is changing as most the modernized world focuses on Open Banking and empowering financial technology (FinTech) companies that seek to disrupt how banking has traditionally been done. North America, Europe, Australia, and much of Asia are already major players in the FinTech market. The U.S. and EU are currently looking to expand Open Banking, and the UK has already adopted the Open Data API to allow customer data from banks to be made available to FinTechs in a standardized way.
While many banks have put in considerable effort to make using their services more convenient in the Internet age, they are largely built on older technologies and have considerable regulatory and compliance concerns that can slow this process. Using newer architectures and technologies from the ground up enables FinTechs to not only be more agile but to design their systems around the solution rather than design the solution around their systems. Many banks have already partnered with FinTechs to add popular services and capabilities such as person-to-person fund transfers, but the landscape is changing rapidly as many push for Open Banking to accelerate the transition to the new age of banking.
Open Banking stands to cause three major high-level shifts in the banking industry:
- Vastly increase the amount and rate of exchange of user data
- Introduce new technologies to an industry that's been largely operating on the same architecture for decades
- Significantly increase the number of companies engaged in these trends
Open Banking will drastically increase the amount of data associated with users being generated and transacted, as well as the number of entities accessing this data. To some extent this trend was inevitable, but Open Banking pushes for FinTechs to have better access to this data. While data can be powerful for advancing technology and quality of service, it is also widely used for more nefarious outcomes. For many jurisdictions, data exchange is prescribed to be opt-in, but it is doubtful that most users are fully aware of what they are opting into. What's more concerning is it seems that regulations have been left out of the planning process with the intent to address them after problems occur that warrant attention rather than proactively planning for negative outcomes.
The data perimeter is expanding as smaller, more specialized companies partner or exchange services to provide a more robust overall experience. While it is unlikely that most users know exactly where their data is going, in some cases not even the primary company handling it even knows as the “as a Service” revolution creates increased layers of abstraction along the data pipeline. It's not unheard of to have up to sixth-party access to data. In other words, five different companies utilizing each other’s services have touched any single piece of data, each with their own systems and (hopefully) security.
While empowering users to have control over their data has become more widespread—especially in the EU following GDPR—the landscape is often so complex it's impossible for a user to truly know the reach of their data, let alone have full control over it. Even many security professionals likely can't comprehend the full scope of securing such data, which is why architectures are built around the concept of shared responsibility where various components of security are divided among the parties involved based on the nature of how they handle the systems and data.
Data is a commodity sought after by many for a wide range of uses. Many of these uses are legitimate and for the benefit of the user, which is the aim of Open Banking making data more widely accessible. However, there are also many uses of data that are not for the benefit of the user. Targeted advertising is the safest way data is used outside of customer benefit and can include spam, which is a nuisance to the user. Data has also been used for profiling users in campaigns that attempted to manipulate their decision-making process. This doesn't necessarily harm the user but certainly could be viewed as unethical. Finally, data can be used in attacks against users’ accounts and privacy or through attempts to defraud them. Thus, it's vital to consider all the various scenarios in any risk assessments regarding making data more available as well as measures to secure it.With the shift to #OpenBanking, it's unlikely that most users know exactly where their data is going #CybersecurityClick To Tweet
Newly created software systems benefit from being able to use any technology or methodology available, but it is much more difficult for existing systems to do this due to incompatibilities or significant changes that would be required. While banks may be able to add new features, the existing systems they must interface with are built around the technologies available when they were first implemented, which for many is decades ago. This may drastically limit the capabilities of systems, but it has allowed the security of these systems to evolve over time as well. Better understanding gained with age also leaves less room for more nuanced security holes. Thus, while most banks are using mainframes and running software written in programming languages emerging students haven't even heard of, they are still some of the most secure and stable systems in existence.
Technologies such as cloud computing, machine learning, and blockchain stand have wide adoption across emerging FinTech companies attempting to provide the best user experience possible. However, they may also provide the next attack surface. The security risks associated with these technologies can be complex, not widely known, or not even explored yet.
Cloud computing is quickly becoming the standard for how software is deployed, but the shared responsibility model for cloud security adds complexity and room for security holes if all parties involved don’t fully understand their security responsibilities. It takes cloud-specific security expertise to properly configure and manage these systems, which takes investment in human capital on the part of the companies using cloud services—investment that small startups often are not willing to make.
The FinTech movement also looks to machine learning to better serve potential customers and help make complex financial decisions. While machine learning holds huge potential, it is often not fully understood by those implementing it. Simply collecting a large dataset and pushing it through algorithms is a naive approach to machine learning. In reality, the data set must be carefully curated and the features selected with thought. Producing an inferior model in most cases will simply hurt the software using it, but when the model is being used for tasks such as making financial decisions on behalf of users or detecting fraud the stakes are greater. Emerging research is finding potential for tricking these algorithms to defeat or even mislead systems using them.
While blockchain is primarily associated with cryptocurrencies, , the algorithms behind it are becoming increasing popular for distributed computing systems that will likely be adopted by startups, including in the financial industry. Blockchain is based on cryptography, which in general should make it secure to use. However, cryptography is a complex system that only guarantees security when properly implemented and used. Security researchers have found several flaws in Bitcoin that could be leveraged in any blockchain implementation containing the same flaws. Several methods of compromising accounts have been found, including cracking private keys generated with weak methods, as well as attacking the math of the cryptography itself. Bitcoin has also been used to host unintended content through clever means, from images and popular written works to POC malware. Once user data or even representations of account balances are widely using blockchain, there is potential for compromise if systems are not properly designed and managed.
The new generation of technologies stands to drastically change the world as we know it, arguably for the better. At the same time, these technologies are not fully understood and already have their own security challenges. Research into these challenges and methods to mitigate them has only just begun, so we are poised to entrust some of our most sensitive data to technologies without fully understanding the associated risks.See how #cloud computing, #MachineLearning, and #blockchain are influencing technology in the financial sectorClick To Tweet
Open Banking will undoubtedly result in another boom of startups, and these startups having access to people's banking data on a large scale has the potential to have serious consequences. Budgeting for security is already a tough sell to C-levels and investors for larger, well-established businesses, but for startups that aren't even solvent yet it's even tougher sell because bringing a product to market and gaining a user base takes top priority. Even now, the average FinTech startup has 20 employees and zero dedicated security staff. Conversely, if you look at open positions at major banks an average of 1 percent of the listings are for security staff. This average jumps to 2 percent for well-established FinTechs including PayPal and Square.
Many startups and larger companies as well mistakenly assume technology staff—from programmers to operations staff—have the knowledge and expertise to create and maintain software in a secure way. Job listings for non-security technology staff echoes this misconception as a single bullet point for security knowledge accompanies the other standard duties of the position—especially when companies don't have listings for dedicated security staff.
The truth is, most workers in technology have at most a basic understanding of security as it relates to their profession. This is not a shortcoming on their part so much as a failure of the institutions that trained them for that profession. For example, the degrees programmers obtain at many institutions offer at most a single optional course in basic information security. While degrees for managing computer systems offer more exposure to security training, it is also often at least in part optional and almost never substantial enough to train people for the real security challenges they stand to face. Luckily, dedicated degrees in information security are becoming more common, but this doesn't fully address the shortcomings of other training programs.
Even outside of technology, security is quickly becoming a universal concern—from C-level officers who need to manage risk to legal departments that will handle litigation following a data breach. But, across the board necessary security knowledge specific to is not being offered. An hour-long video once a year on how to avoid falling victim to cyber-attacks is not going to fill this gap. The education system needs to make security training and staffing a priority as much as companies do. For those already working in their field, additional training should be sought to increase security knowledge as it relates to the job and industry. Security in general is a discipline that requires forethought, planning, and preparation, and this needs to be more widely understood and adopted.
Regardless of industry, dedicated security staff is crucial for preventing data breaches—which are already increasing at a dramatic rate even among well-established companies. While the larger breaches make the headlines, almost half of all small businesses were attacked last year as attackers seek less secure targets. This trend applies to users' financial data as it becomes more widely dispersed through Open Banking. The data currently being stolen is often more general, but banking and financial data could be worth significantly more on underground markets and wreak much more havoc. Only by taking security seriously from the beginning can FinTech startups hope to have even a remote chance of mitigating this risk and protecting their users, their data, and their money.FinTech startups need to start taking #cybersecurity seriously if they hope to have a chance of protecting their users, data, and moneyClick To Tweet
Whose Fail is it Anyway?
With Open Banking seeking to widely distribute financial data and a complex and underprepared security posture to protect it, the question of who is responsible in the event of an inevitable breach of that data becomes a tricky proposition. This becomes somewhat simpler in the case of breaches of data at rest, but with data in transit it becomes trickier to identify the party at fault. Failures in either—or likely both—ends of the data pipeline will lead to long, drawn out court cases to properly assign responsibility for damages. All the while the users affected must wait even longer for any sort of reparation to take place. With the Equifax breach still not entirely resolved after two years it's difficult to imagine positive outcomes from similar data becoming more widely shared.
Some effort has been put into standardizing blame in the various Open Banking movements already underway, often either splitting responsibility or in some cases placing it solely on the banks. Inevitably, the complexity of security failures will result in parties taking blame they do not deserve, and affected companies will take action to prevent future punishment, which will stifle the movement. In jurisdictions without the foresight to set up standards for handling this, it's possible that those with the best lawyers will often be victorious—again resulting in improper assignment of blame. Regardless of the circumstances, it's highly likely the customers will somehow foot at least part of the bill associated with handling blame ambiguity while not quickly receiving the relief they require and deserve from the security failures.
Further, it is doubtful that judges and/or regulators would have the level of security expertise required to make an accurate assessment. Thus, a whole new field of security evaluators would be needed, which would take years to train properly. Ultimately, we are quickly headed toward a world where some expertise in security is required for just about every profession—a prospect that no schools are prepared to address.
Open Banking and FinTechs are poised to both revolutionize how we interface with our finances and open new avenues of security risk into those finances and the data that they generate. While it's often easier to focus on the potential benefits of technology rather than the risks, too much is at stake to not take security seriously, and all levels involved in this shift play a role. Regulators must ensure that proper security measures are required for those handling and transferring financial information, as well as devising ways to hold companies accountable when data breaches occur and ensure timely restitution for those affected.
Companies need to take securing their systems and user data seriously from the start and invest in measures and personnel to achieve this and not adopt the “it won't happen to me” mentality so prevalent in other industries. Finally, users must refuse to do business with companies that don't make securing their data a top priority. Finally, institutions that disseminate knowledge need to look to incorporate security training into their curriculum to enable everyone to at least understand the risks that are out there if not take part in mitigating them.