By Brian Costello, Chief Information Security Officer, Envestnet | Yodlee
As the world waits for the full implementation of Open Banking, all eyes are on the Competition and Markets Authority (CMA), and the UK in particular, as it becomes the first region to deploy the reformation. It’s understood that Open Banking will revolutionize the way consumers and financial institutions alike manage finances and improve overall consumer financial wellness.
While the UK’s implementation of the Open Banking reform is not new news, an even bigger transformation of the banking industry is on the horizon: Europe’s regulatory authorities are finalizing the technical requirements under the second payment services directive (PSD2), effective January 2018. Once Open Banking and PSD2 are implemented, third party providers will have access to customer accounts. This changes everything for the consumer – their relationships with financial institutions will be more intertwined than ever, thus requiring a vastly increased sense of trust. While both Open Banking and PSD2 have several positive ripple effects, including fostering the development of the next wave of financial products and services, increasing competition in financial markets and empowering consumers to take greater control of their financial lives, there is legitimate consumer concern regarding how their personal data is being used and secured. The sharing of personal data, while for legitimate purposes, is not something to be taken lightly. Financial institutions and third parties alike must make consumer trust and safety a top priority and requirement.
Security has always been arguably the most important factor when it comes to financial information management. In this new age of financial services however, where information is increasingly more accessible and spreads in a matter of seconds, financial institutions and fintech companies have to exercise even greater caution and go to even greater lengths to demonstrate trustworthiness. Words are nice, but what will really ease consumer fear when it comes to the use of consumer data?This begs another question: What can the broader Financial Technology (FinTech) ecosystem do to prevent cyber attacks in an Open Banking ecosystem?
With banking and financial services becoming increasingly smarter, capable and diligent security systems are more crucial than ever. It’s particularly important to note that while technologies like artificial intelligence (AI) and machine learning(ML) are skyrocketing in popularity across industries, there are still several questions to be answered and outcomes remaining to be seen. In order to combat fears associated with the unknown, AI and ML can be taken a step further than traditional usage – by using these technologies, financial service providers and data aggregators can protect consumers through endpoint security, behavioural analytics, identity management and security monitoring for fraud prevention.
For most security scenarios, AI and ML have the ability to go far beyond identifying known threats. For instance, models leveraging the technologies can determine a file’s maliciousness with no previous knowledge of the file by relying instead on analysis of the file’s innate properties. With sufficient, quality data available, AI and ML techniques easily outperform traditional signature-based or indicator of compromise (IOC)-based prevention approaches, which retroactively seek out the artifacts that an attacker may leave during a breach.
One such example of an AI-enabled product leading the endpoint security space is Cylance.The tool leverages AI to detect and prevent malware from executing on an organization’s endpoints, as well as prevents attacks on financial services infrastructure by blocking threats in real time before they cause harm. Data aggregators and financial service providers can take a page from Cylance’s book when it comes to enhanced security services built into product and service offerings.
These days, it seems like there’s news of a different data breach every week – many of which require behavioral analysis to isolate threats based on observing the actions taken. According to an industry study, more than 60 percent of intrusions do not involve traditional hacker methods like malware, but instead, leverage stolen credentials. Adding behavioral analytics to a prevention strategy built on AIand/or ML is the key to setting the security standard for financial applications and services in an Open Banking environment.
Amazon is arguably one of the top companies leading the adoption and deployment of AI-enabled services. Amazon Macie’s user behavior analytics engine helps identify risky or suspicious activity with AWS service API calls and access to high value content. In the financial world, the Amazon Macie is an example of how ML is key in preventing crucial data loss by automatically discovering, classifying and protecting sensitive data stored in Amazon Web Services(AWS). Amazon Macie utilizesML to recognize sensitive data such as personally identifiable information (PII) or intellectual property, assigns a business value, and provides visibility into where this data is stored and how it is being used by organizations.
With companies like Apple pushing the boundaries when it comes to identity management, there is consequential pressure on tech companies to continue innovating in the space while ensuring security is always at the forefront. Varying forms of identity management have cropped up; however, as with the unknowns associated with AI and ML as a whole, consumers are wary of the effectiveness and security that come with methods like facial scanning.
To ease consumer wariness of what’s up-and-coming in identity management, financial service providers and data aggregators must present methods that employ solid public key infrastructure (PKI) of personal digital certificates, as well as AI-based biometrics. Today, Social Security numbers pose the biggest security problems when it comes to identity management, which makes sense if you think about it. Social Security numbers are associated with all kinds of vital personal information, such as insurance policies, driver’s licenses and student ID numbers, as they guarantee a uniqueness, but at the same time, make consumer identities more vulnerable. The use of biometrics built on AI provides stronger authentication through better authorization of uniquely identifiable characteristics.
As with all components of Open Banking, authentication techniques will need to be PSD2 and/or (eventually) New York State Department of Financial Services (NYDFS) compliant. To prepare specifically for the imminent implementation of Open Banking in the UK, EU-based TypingDNA has laid the groundwork for AI-based biometrics in a financial service setting. A behavior-based security service for financial services, TypingDNAprovides an authentication risk-based score that helps financial services reduce fraud with no impact on user experience. Incorporating solutions such as this can go a long way in easing consumer anxiety while maintaining a positive experience for the end-user.
ML has the capability to monitor around the clock and handle larger data loads that the average human simply cannot handle, or at least not as efficiently. As a result, the workload for security analysts decreases. While this may not sound like the best news for those who work in the security field, ML actually provides the opportunity for security analysts to focus more on analyzing specific threats in much greater detail, while ML helps identify and filter out potential threats that expose known patterns, in much larger quantities. For example, Splunk’s analytics-driven Security Information Event Monitoring (SIEM) goes beyond simple information and event management to tackle real-time security monitoring, advanced threat detection, forensics and incident management.Employing ML, in conjunction with traditional security analyst work, helps ensure financial service providers and data aggregators have all their bases covered when it comes to managing and preventing threats and breaches.
In reality, it will take some time to ensure consumers understand not only how their data is being used differently with the arrival of Open Banking and PSD2, but also how they will remain protected in this new era of personal financial services. While hesitations won’t be calmed overnight, financial service providers and data aggregators can begin taking necessary steps now to illustrate their dedication to data security in a time where information is only becoming more vulnerable. It will require more than just words; consumers will watch actions closely and seek to understand the varying measures financial service providers and data aggregators are taking when it comes to data security. And while the jury is still out on all of AI and ML’s capabilities and impact on everyday life, financial service providers and data aggregators can help legitimize the technology by successfully implementing and showcasing their value in an industry as complex as financial services.