When you think of Payment Services Directive 2 (PSD2), what likely springs to mind is the implementation of the Secure Customer Authentication rule (SCA). SCA was brought in as an additional check during certain financial transactions to help prevent fraud. However, PSD2 also ushered in the era of “open banking” through APIs.
Can digital services benefit from open banking, or is it all marketing and hot air?
The whole is greater than the sum of the parts
In my time in the tech industry, one of the most noticeable changes has been the drive to interoperability. Back in the day (i.e., more than ten years ago) connecting different components usually meant a lot of custom coding.
Now, we have application programming interfaces, or APIs, built on standards. The creation of what is often termed an “API economy” has been very important in facilitating a globally connected commercial world.
APIs and standards have facilitated the creation of multi-functional ecosystems. These ecosystems or ‘networks’ draw on specialist services – the result being the whole is greater than the sum of the parts.
PSD2 has a seemingly simple remit: Provide an interface to allow customer data to be shared in a secure and standardised format. The result of this directive is the potential to open up the banking marketplace to drive new services. This is all part of the general move of banking to digital delivery of banking services.
A 2020 survey by Finder states that in the UK, 4.5 million adults have a digital-only bank account and 12 per cent want to open a digital-only account in the coming years. While not everyone can take advantage of digital, digital-only is popular with a lot of folks.
Open banking and PSD2 is a European and UK directive. However, the Open Banking Report 2019, looked at open banking initiatives across the world and of the countries included in the report, 87 per cent had open banking initiatives in readiness, including the US and Australia. Thousands of banks have opened their systems to offer data access.
Open banking offers added value above banking itself: Any ecosystem can directly connect to banks offering open banking capability via API calls or use open banking aggregation platforms such as Plaid, Tink and Truelayer. The data provided using open banking can enrich a digital service.
Open banking and identity networks
As I've discussed in previous posts, when we talk about “identity” we are talking about identifying data. Identity networks are ecosystems that rely on identifying data to perform online tasks.
An example use case is a customer wanting to rent a house. The online rental service needs to make sure that the renter is trustworthy. In some countries, such as the UK, there are legal requirements when renting, such that identity documents, bank details, and so on must be collected.
The rental company needs to be assured that the renter is who they say they are and can pay the rent. The renter may also be requested to set up a recurring payment for the rent.
In another example, a government service that provides benefit payments to citizens needs to have an assurance that the citizen is not a fraudster. The government service may also want to have bank account details to pay the money into a verified bank account.
Both these examples, as a digital solution, are complicated. Making them digital requires an ecosystem of specialist components that can bring the whole ecosystem or “identity network” together. With APIs and standards, we can do this. Open banking APIs offer much of the specialist data needed to complete such services, including:
Assurance: To provide access to open banking data, a bank account owner (customer) must log in using their bank credentials to share access and consent to the data requested by the service -- e.g., a rental company. If the user can log into their account, this confers a degree of assurance that the user has gone through a banking “know your customer” (KYC) to obtain a legitimate bank account. This assurance is passed to the digital service.
Personal data: Open banking APIs can return certain data, such as name (some APIs will return other data, too). This data can be used to pre-fill registration forms -- the fields being made read-only. The service can have a degree of assurance that these data have been through banking KYC, so are legitimate.
Banking data: Many open banking APIs return banking data, such as sort code (in the UK), accounts held, balances, transaction history, and so on. Some open banking APIs will facilitate the setting up of recurring payments.
It is worth noting that open banking has a large array of capabilities, but it is up to the individual bank to implement them and not all have done so.
Other pieces of the ID network puzzle: Verified data
Verifiable claims or verified attributes add the missing part of the complex puzzle of digital services -- the final part of the digital transformation of online life.
As mentioned earlier, an identity network is an ecosystem. This ecosystem consists of many moving parts. Open banking has the potential to add a rich layer of data into this ecosystem. Sometimes you need more. Some transactions are just too valuable to depend on one source of knowledge.
You must be able to reach out to other sources, like credit reference agencies (CRAs), identity document checkers, anti-fraud platforms, behavioural analytics, and so on.
This ecosystem we talk of is possible because of APIs and standards. By using multiple knowledge and data sources you can build up a picture of a customer or transaction that gives it weight and reduces the risk of fraud. Identity networks and the components that they comprise of could be the way we finally get ahead of cybercriminals and payment fraud.
A word on open banking security
Faudsters love an opportunity. Extended networks, where data flows between components, must be the biggest opportunity for cybercrime that has ever existed. There have been several API-based attacks as the technology increasingly becomes embedded in digital services.
For example, Facebook has been the subject of several API-enabled cyber attacks. A recent issue was in the Photo API used by third-party app developers to access photos shared with the service. A flaw in the API exposed photos of around 6.3 million Facebook users across 1500 apps.
Securing any system requires several layers. A system that uses API calls adds another layer that requires protection. Good API hygiene and extended API testing must be part of any ecosystem that relies on API empowered data sharing.
An open banking future for identity networks?
APIs have empowered and enabled the growth of digital services. The next step is to use verifiable data to empower the transactions used by these services. Open banking offers a way to use already verified user data that has gone through a banking KYC process.
This is a win-win-win situation: Banks can use their KYC processes by becoming part of something bigger than a single bank. Services can have assurance from the verified data shared via a bank. Customers can re-use existing bank identities to help reduce the overhead of online account creation.
As long as the API layer within a service is secure, the end result can be an effective, secure, verified service, where everyone benefits.