Travis Spencer, CEO, Curity
The open banking revolution is well underway, with financial services heading towards a more integrated future. One only needs to look at the introduction of PDS2 in Europe, UK Open Banking, the new efforts going on in Brazil, and the exponential growth of APIs to see that “platformification” is happening all around us. This is hugely exciting for businesses and consumers alike, paving the way for the more seamless user experience that people have come to expect.
Naturally, the prospect of moving financial data around is always something to do with care. The consequences of this information falling into the wrong hands have the potential to be disastrous for consumers, businesses and banks. That’s why financial-grade API security is paramount when it comes to exchanging data and financial information between institutions and third parties such as fintech vendors and other partners.
With security being so important, there are a raft of measures that financial services companies should adopt to set themselves up safely for success.
Intricacies of Authenticate
In a highly regulated system, it is important to have strong confidence in the users’ identity. This requires a Strong Customer Authentication (SCA) method, which usually translates to a high Level Of Assurance. This is achieved in part by using multi-factor authentication. Equally essential, users must prove their identity as part of the registration process and authentication process. To achieve this, the regulators require standards-based proven methods that ultimately result in a token (i.e., a ticket or memento) that is cryptographically bound to the bank and codifies the identity of the user, their authentication method, and the bank’s assurance level that the user represented by that token really is who they claim to be.
Authentication is important, but, alone, it isn’t enough. Open Finance regulations are clear that users must consent to a business accessing certain data or performing an action such as creating a transaction. But it must also be possible for users to manage and even revoke their consent through an easy-to-use user management service.
Protecting users’ data can be a challenging task, but it’s a critical one. It takes a long time to build up trust – particularly when finances are involved – and it can be slashed in seconds if users lose confidence in a business’s ability to look after their users. As well as costing customers time, money and frustration, this can ruin a business’s reputation. Consequently, the safety of user data must be prioritised.
A combination of different techniques, frameworks and processes can be introduced to mitigate the risk of fraud, leaking or manipulating data and violating privacy. This is an opportunity to ensure standards are implemented across the board. Standards and directives such as PSD2 are designed to protect user data, as well as securing bank services. Businesses need to ensure they are investing in the right technology to adhere to these standards. By choosing solutions that automatically implement these specifications, businesses can reap the benefits of a secure customer database and improved customer relationships which they are exposing via APIs.
In order to do this, businesses must also invest in their teams. It’s not enough to simply put protocols in place. Design and execution requires a specific set of skills which, unfortunately, are high in demand and low in supply. Recent research commissioned by the Department for Culture, Media and Sport found that half of UK businesses (approx. 680,000) have a basic skills gap, lacking staff with the technical, incident response and governance skills needed to manage their cyber security. Meanwhile, a third (approx. 449,000) are missing more advanced skills, such as penetration testing, forensic analysis and security architecture.
Despite being essential – even more so as services are increasingly digitalised, cyber security skills are often poorly understood and undervalued by both management boards and within IT teams. This can lead to a lack of investment in training, mishiring, and poor retention of staff in security roles. This only exacerbates the challenge of building a team that possesses the requisite skills.
Hiring can be hard when there’s a shortage of skills, so businesses need to be creative. This means considering new recruitment avenues and, importantly, breaking free from the traditional model of what cyber security professionals look like. Curiosity is key, so, for more junior roles especially, attitude should be a key qualification. Businesses should trust that many skills can be acquired on the job if the candidate has the essential fundamental knowledge and drive. To aid in this, employers should provide training and mentorship.
We’re on the cusp of an exciting future for financial services which will shake up the way that banks do business and consumers manage their financial transactions. New opportunities mean new processes and challenges, however. This is particularly important when it comes to security. Previous measures simply won’t be enough. Not only will delivering on this future require financial-grade security and authentication protocols, it will also rely upon having the know-how to do so. Clearly, the skills gap in security needs to be filled in order to make this happen. So, ensure you’re investing in your team first, product second.