How Open Finance Fuels the Money Experience and Drives Growth

If one idea encapsulates a significant trend in the current business environment, it’s “openness.”

Society is placing a greater value on transparency and “open” approaches. Even Microsoft Corp., the long-time defender of closed software, under the leadership of CEO Satya Nadella, has proclaimed they are “all in open source.” One industry where being open is of particular importance is banking and finance.

Open banking is the structured sharing of data through an application programming interface, or APIs. These APIs allow data to move freely from financial institutions to third-party consumer finance applications. Customers initiate and consent to data sharing, establishing a secure way to grant access and extract financial information from the financial institution.

Open finance, on the other hand, is a broader term. It extends open banking to include customer data access for a range of services beyond the banking industry — to retail stores, hotels, airlines, car apps and much more.

Open finance is popular in Europe and is now gaining momentum in the United States. The goal, similar to open banking, is to enhance the way consumers in all industries interact with money. There are numerous far-reaching benefits of the open finance movement, both for consumers and organizations.

Consumers receive fast access to apps and services. Opening up data access allows someone to sign on and share their data with popular third-party apps (such as Netflix or Amazon.com) so they don’t have to re-enter their information every time. Taking it a step further, a stream of innovative applications such as fraud monitoring, automated savings, accelerated mortgage reduction and more are possible once access to financial information is opened up.

Greater security and control. With currently available technology, financial institutions, can leverage API connections to allow account access or facilitate money movement for their customers. This control provides a sense of autonomy and security for consumers and bankers alike, creating an improved and secure money experience. Banking APIs also impact business models, and most significantly, allow banks to adapt to changes in the marketplace.

But security is critical when “opening up data” to the world. When we launched our open finance platform, MX Open, we ensured that financial institutions would be able to help protect their user’s financial data. Security needs to be at the heart of any successful open finance strategy, so that  financial institutions, third-party financial apps and other companies can create more personalized money experiences that give customers greater access and control.

Easier connection of services, apps, cores and systems. Establishing a secure, end-to-end mechanism for sharing data not dependent on credential sharing allows banks and fintech companies can connect to many, many more services — resulting in even more services and offerings for users. Data connectivity APIs exist for that purpose: to empower organizations beyond the constraints of legacy systems, connecting financial institutions with new services, apps, cores and systems.

As a company focused on the financial services space, we recognize that data should be open to everyone. This movement of opening up — from open-source, to open banking to open finance — can only help bankers and boards maintain the advocacy-focused approach they desire in serving their customers, while increasing control over their roadmap to innovate faster and deliver the right tools and products to the right customers.

Secure Payments in Real Time: You Can’t Have One Without the Other


secure-payments.png

In the race for faster payments, it seems that many consumers place a higher value on convenience over security. This doesn’t mean banks’ focus on security is or should be any less critical. Rather, it highlights the need for authentication to become more than just a seamless experience for the consumer. It also needs to be both invisible and deterministically consistent.

Any bank’s plans to offer real-time payments is unquestionably accompanied by initiatives to ensure fraud mitigation can also occur in real time. Most fraud programs in place today are simply not built to support the imminent speed of payments. While banks already have access to many sophisticated systems that make real-time payments technologically possible, are they equipped to guarantee funds are sent to and received by the correct, authorized individual? Unfortunately, the answer is no.

Accommodating customers’ desire for faster funds availability means putting them at the center of authentication process. The risk banks must mitigate as they strive for a faster payments process lies in confirming that the person transacting is the right person, transacting on the right account. With millions of customer interactions daily, organizations must be able to authenticate who is interacting, and on what device. This information is critical to assessing the risk of a specific transaction and deploying optimal authentication technologies accordingly.

Authenticating consumers also requires fast, broad access to a variety of industry data sets. There is no way for a single financial institution to gain a complete financial picture of a consumer. Instead, a broad and collaborative view of identity and transaction activity creates the type of holistic customer profile needed to quickly authenticate.

Lastly, behavioral biometrics are proving essential to the introduction of a real-time payments ecosystem. How a person interacts within an app, and even with his or her mobile device itself, is quickly becoming a critical risk management factor that banks need to understand to successfully launch their real-time payments offerings. If not already, banks should be exploring biometrics as part of a multi-factor authentication strategy, to leverage —what you do’ characteristics in concert with those indicating —what you know’ and —what you have.’

Authentication is not about mitigating fraud at certain points in time–it should be ongoing. Continuous authentication is important to facilitating faster, safer payments for a couple of reasons. First, fraud doesn’t necessarily occur at the onset of a transaction; organizations must be equipped to detect fraud at any stage of the transaction. Additionally, only when authentication is continuous can it truly remain in the background, requiring the consumer to do nothing more than assume his or her normal behavior.

By focusing on putting the right technology and authentication capabilities in place first, banks will be able to provide the faster payments environment that customers want. Instead of looking at security as a distinct challenge, consider how enhanced security and authentication enable faster payments and create the most convenient payments experience possible.

Check It Out: The FTC Zeroes in on Mobile Payments


3-29-13_Bryan_Cave.pngBanks have an important role to play in development of mobile banking and mobile payment technologies. Although nearly 45 percent of all mobile phone users have a smartphone, only 12 percent are using mobile devices to make payments, according to a new report from the Federal Trade Commission FTC). The primary reason for not using mobile payments is security concerns (42 percent). 

Currently, the Federal Trade Commission is leading the charge to explore the need for mobile payments regulation. For banks interested in mobile banking, its actions and publications are very instructive.

Over the last two years, the FTC’s actions include: bringing law enforcement actions, obtaining high-profile settlements with Google and Facebook and issuing policy reports for mobile businesses and policymakers.  Although financial institutions are not directly regulated by the FTC in this area, the FTC does regulate all other mobile providers including merchants, payment card networks and payment processors.  Further, the FTC will likely influence and coordinate with other regulators, particularly with respect to data security and privacy.

During a teleconference on February 1, 2013, discussing the FTC report, “Mobile Privacy Disclosures Building Trust through Transparency,” the outgoing FTC Chairman, Jon Leibowitz, called on the industry to adopt strong privacy and data security measures for mobile technologies or face increased regulation. Most recently, the FTC issued a Staff Report on March 8, 2013, entitled, “Paper, Plastic… or Mobile? An FTC Workshop on Mobile Payments,”which outlines a number of key concerns and recommendations for businesses implementing mobile payments:

  • develop clear policies for disputes for fraudulent or unauthorized mobile payments that address:
    • the confusing landscape for consumers when selecting a payment method since each product has a different means, as well as different levels of protection, for disputing payments;
    • the potential need to incorporate FTC Act and potential Consumer Financial Protection Bureau protections.  At this time, unless Regulation E applies to a payment method, Reg E type protections for fraudulent or unauthorized payments are offered on a contractual or voluntary basis only; and
    • mobile “cramming,” where companies place unauthorized charges on mobile phone bills.
  • adopt strong security measures throughout the mobile payment process to:
    • receive, transmit and store financial data using “end-to-end” encryption;
    • incorporate security measures such as dynamic data authentication and separate secure element storage of data to prevent hackers from accessing financial information on mobile devices;
    • comply with federal and state data security laws such as the FTC Safeguards Rule 16 C.F.R. § 314.1 et seq. and the FTC Act prohibition against unfair, deceptive and abusive practices;
    • require strong data security measures by all companies in the mobile payments chain; and
    • implement additional consumer security protections such as second level passwords  and a means to immediately disable apps if a phone is lost or stolen.
  • Implement “privacy by design” as set forth in the FTC’s report “Protecting Consumer Privacy in an Era of Rapid Change,”  including at a minimum:
    • strong privacy practices at every stage of product development covering:

      • reasonable security 
      • data collection limited to the context of consumer interaction with your business (e.g., no geo-location data unless needed)
    • simplified consumer choice:

      • allowing consumers to restrict unnecessary information disclosure
      • discouraging “pre-checked” boxes to obtain consumer consent for the use of data for non-processing purposes
    • transparency regarding data collection, storage and use to strengthen consumer trust.

To enable mobile to reach its full potential, financial institutions can play a lead role, including by responding to the FTC chairman’s call for industry self-regulation and the recommendations noted in the Staff Report.  Taking the security and privacy obligations that already exist under the Gramm-Leach-Bliley Act, with further guidance from sources like the FTC, financial institutions can move the industry forward by developing meaningful mobile disclosures and transparent privacy policies and practices and by requiring similar compliance of their mobile payment service providers.  

Banks should implement, and require their service providers to implement, data security safeguards for sensitive financial information at all segments of the payment chain and allocate responsibilities and liability among them. Banks should develop data breach response plans including notifications and consider purchasing cyber-security insurance.

Breaking Barriers: A Global Information Security Study


barriers-wp.pngWith increasing business demands and evolving regulatory frameworks, information security is a top priority for financial services industry (FSI) organizations. This year’s security survey study conducted by Deloitte finds that many FSI organizations have become more proactive in implementing innovative security measures and creating greater awareness of information security within their businesses. However, most organizations in the survey are challenged with balancing the cost of information security initiatives with the perceived risks of sophisticated threats and emerging technologies.

The following summary highlights the responses from over 250 financial services organizations from 39 countries:

Stronger Together: Silos and Barriers Retreat

  • Almost two-thirds of respondents believed that their information security function and business are engaged.
  • Over 50 percent of respondents indicated that they have a strong working relationship with operational risk management. Close to half of respondents indicated that they have strong relationships and coordinated activities with enterprise risk management.
  • Information security governance; identity and access management; and information security strategy and roadmap are cited to be the top security initiatives for this year.

Adapting to New Technologies: Security Innovation

  • As the use of social media increases, 37 percent of respondents are revising organizational policies; and 33 percent are educating users on social networking to address the security risks.
  • Many surveyed organizations have explored cloud computing options. However, 40 percent of the respondents indicated they still do not use cloud computing. The reasons cited include technology prematurity, security risks, and adoption capabilities of the organization.
  • As a part of their mobility program, many organizations have already deployed, or plan to deploy, mobile VPN, central device management, and mobile device management software. However, more than 50 percent of respondents have not yet planned for deployment of anti-phishing software, employee and customer-facing applications, and data loss prevention for mobile devices.

Policing Cyber Threats: Safeguarding Data Assets

  • Three out of four respondents have dedicated privacy resources; organizations are increasingly focusing on protecting their sensitive information and formalizing the privacy function.
  • Forty-nine percent of surveyed organizations claim to actively manage vulnerabilities, 82 percent of which are also actively researching new threats to proactively protect their environment from emerging threats.
  • Most surveyed organizations use the Security Operation Center (SOC) to monitor traffic and data and actively respond to incidents and breaches.
  • More than half of the respondents indicated that their organizations manage the SOC internally to get a better understanding of information security issues and gain more control over their operations.
  • Consistent with prior years, respondents cited a lack of sufficient budget (44 percent) and the increasing sophistication of threats (28 percent) as the primary barriers to implementing an effective information security program.

Sector Highlights: Banking

As banks adapt to increased financial regulatory pressure and adopt new technologies to stay competitive, they are challenged with managing myriad vulnerabilities and business expectations.

The following highlights the responses from 158 banking organizations, making up 62 percent of respondents:

Maturity Paradox: How To Keep The Information Security (IS) Program Effective

  • With increasing regulatory pressure, banking respondents continue to enhance their security programs. Close to 80 percent of respondents believe that their information security programs have reached a Level 3 (set of defined and document standard processes with degree of improvement over time) maturity or higher.
  • Even as security practices mature and advance, nearly 25 percent of the banking respondents indicated they experienced security breaches in the past 12 months.
  • Excessive access rights, security policies and standards that have not been operationalized, and lack of sufficient segregation of duties are cited as the top three external audit findings by banking respondents.

Balancing Act: Security and Cost Containment

  • Even though more than 70 percent of banking respondents dedicate at least 1 to 3 percent of their IT budget to information security, lack of sufficient budget and/or resources is cited as the top barrier for an effective information security program.
  • Nearly half of banking respondents have already implemented or purchased cloud computing services. Of those who have not implemented cloud computing services, close to 90 percent of the respondents believe the benefits outweigh the security risks.
  • Vulnerability scanning and penetration testing (72 percent) is the top information security function that is outsourced to a third-party. This is followed by threat management and monitoring services, at 24 percent.

Security Innovation: New Technologies and Their Risks Have Arrived

  • Nearly 75 percent of the banking respondents are making use of social media; 20 percent of the banking respondents have deployed technical controls to block or limit organizational usage.
  • When it comes to adoption of mobile devices, banking respondents indicated that the top three security controls are enhancing the consumer acceptable use policy, integrating consumer device security into awareness campaigns and enforcing complex passwords.

To view more results, please download the full study.