Interesting and innovative technology is disrupting the financial services market in a good way. Open Banking is one such initiative that can put the customer’s data to use to serve the user’s needs while also extending financial services to populations with no previous access to banking services. The positive impacts of Open Banking are leading to greater adoption, and financial regulators around the world are promoting its application by implementing regulations and guidelines. This article focuses on some of the security controls for Open Banking from various sources, including Australia’s Consumer Data Right (CDR) law, Singapore’s Finance-as-a-Service: API Playbook, Hong Kong’s Open API Framework, the U.K.’s Competition and Markets Authority (CMA) Open Banking guidelines, and the European Union’s Payment Services Directive 2 (PSD2).

What is Open Banking?

Technologically, Open Banking is the use of APIs to enable third-party providers (TPPs) and financial technology (fintech) firms to build services around financial institutions. TPPs or fintechs can utilize APIs to provide customized services to banking customers, provide sustainable services to underserved markets, and fuel innovation. Financial regulators in different regions recommend or require that financial services institutions (FSIs) open up data for products, consumers, and services to facilitate the building an API economy. This ecosystem requires financial institutions to pass various litmus tests to ensure the safety and integrity of data.

Security in Open Banking

Increased use of APIs in all industries has garnered attention from cybercriminals. Gartner predicted that by 2022, API abuses will be the most frequent attack vector against enterprise web applications that lead to data breaches. Financial regulators are aware of this fact and numerous guidelines have been recommended to prevent these attacks. While individual guidelines and implementation details might differ from region to region, there are some common technical security controls.

In our current analysis, the focus is on common security controls across various regulations, including authentication controls, authorization and consent management, transaction security, security standards, and operational risks (see Figure 1).