A report from Identity and Access Management specialists Ilex International and RAiDiAM Consulting looks at the upcoming Open Banking legislation and the impact on UK banking organisations.
The Open Banking initiative has formed as a result of the UK Competition and Market Authority’s (CMA) latest effort to promote increased competition and consumer choice among banking service providers. In addition, the CMA intends to expand upon the European Banking Authority’s Payments Services Directive 2 (PSD2) directive by being more definitive in specifying the technological implementation of standards.
These APIs will transform the existing relationship between banks and their customers and raise complex identity assurance and access management challenges. Providing a standard set of APIs will be challenging for many functional and technical reasons. Perhaps most challenging from a security perspective will be the replacement of bespoke application protection mechanisms, protocols and internal standards with a single modern Identity and Access Management (IAM) capability that can integrate with third parties.
Open Banking in action
Open Banking API offerings are broadly categorized into three services: Public information, account information services (AIS) and payment initiation services (PIS). The CMA’s high-level roadmap schedules the delivery of APIs in the order of their security or risk levels. APIs requiring no security to implement will be delivered first, starting with the delivery of financial product descriptions and ATM / branch locations by the end of Q1 2017.
Achieving assurance in a headless world
These days, customers almost always interact exclusively with banking services via first party channels, whether mobile, telephony or Face2Face. Such channels require customers to perform an appropriate degree of identification and verification before services or information is provided.
Alternatively, with an API channel consumed by third parties, bank’s will need to address use cases where TPPs are performing operations on a customer’s behalf when the customer may not be present during the course of the transaction. Banks must adjust security postures to reflect the loss of control, quality assurance and variable degrees of app security that may be used by customers to access banking services.
Digital identity assurance is leading to a change in the industry. The coming swarm of digital financial asset management APIs will enable new and innovative services to be deployed at a pace previously unseen in the financial services industry. API delivered services have the potential to significantly increase the threat surface banks are exposed to and pose new challenges for identity assurance. Delivery of an API channel will require significant investment in IT Security and IAM infrastructure. It will also require the re-engineering of business processes to manage the numerous new identity classes and their authorisations.
To read the full paper, ‘Open Banking and PSD2: An Inflection Point for Digital Identity Assurance’, click here.