Navigating open banking while keeping the fraudsters at bay

In the open banking era customer user experience is key, but how do you also ensure assets are protected from fraudsters? Frans Labuschagne of Entersekt outlines some ideas

For decades, the vast majority of the UK population would trust their finances to one of a few long-standing and well-established banks – among them, Barclays, Santander and the Royal Bank of Scotland – and remain with them for life.

This commitment meant that the banks had no real reason to compete for customers, which resulted in a product-centric strategy coupled with tedious processes and inflated fees. The recent advent of open banking, however, has the potential to revolutionise the way we bank. 

Two years ago, the Competition and Markets Authority (CMA) recognised the lack of competition within the financial industry and resolved to put customers back in control of their finances. Their mandate stipulated that banks would have to ‘open up’ and securely share all the data they had collected over the years with third-party organisations. This sharing of data has since facilitated the rise of challenger banks and fintech start-ups, driving innovation to create services and products that empower consumers. 

Regulations outlined in the European Union’s 2018 Payments Services Directive (PSD2) have been fundamental in opening up banking. Today, managing your finances has never been more convenient or flexible. From credit score monitoring services and budgeting applications, to debt rehabilitation and an efficient means to make payments – we are only just realising the potential of integrated application programming interfaces (APIs), the technology through which the data is shared. 

The down side is that these newly acquired benefits – accompanied by an increase in the number of sensitive transactions and requests from third parties for data access and payments – increase the opportunities for cybercriminals to commit fraud.

To mitigate this, PSD2 requires that banks adopt strong customer authentication (SCA), or two-factor authentication, as well as the supporting deployment of EMV 3-D Secure. However, these additional authentication requirements will undoubtedly negatively affect the interactions that financial institutions have with their customers. 

In a world where individuals are being pulled in every direction by competitors and other parties vying for their attention, banks need to concentrate on creating exceptional and seamless user experiences to set themselves apart from the crowd.

Banks need to elevate themselves from being more than just another service provider; they need to become the trusted keeper of their customers’ digital assets. So, how can they do this while remaining compliant with regulations?

Seamless Security Through Biometrics

Both SCA and EMV 3-D Secure demands that customers identify themselves with a combination of ‘what you know’ and ‘what you have’ before being granted access to their assets. So, for example, they need to provide a password or PIN number, and have a bank dongle or smart card. This, however, makes it far more troublesome for a customer to access their assets.

Consider passwords, for instance. People open new accounts every day, for all manner of things, and can accumulate as many as 200 within just five years. With each account requiring a password, it is no surprise that 37% forget a password at least once a week. Many tend to reuse passwords across accounts as well, increasing their risk of fraud from attackers executing brute-force attacks.

As a way to overcome the ‘password problem’, financial institutions should consider adding a ‘what you are’ – biometrics – factor to use with another existing authentication method. Biometrics help to simplify the authentication process while also ensuring security – it’s not easy to lose your fingerprint or have it stolen by a malicious actor, and they’re simply much harder than passwords to replicate.

Moreover, consumers are growing more comfortable using biometrics, for example on their smartphones and smart speakers, enabling its adoption more widely. Indeed, one study found that 87% of consumers see this method as the most secure form of authentication and 86% also believe that it makes logging into banking apps easier compared to the traditional password.  

Seamless Security Through the Omnichannel

Along with greater choice of financial services, consumers are also facing an increasingly complex authentication landscape. In addition to the age-old brick-and-mortar bank branches and ATMs, individuals now have online banking, mobile banking, and yes, even smart speakers to make purchases, and each of these channels generally employs a different method to protect a consumer’s assets. 

Offering consumers choice is fundamental to providing them with control. After all, it shows that financial institutions understand that individuals have different preferences for and ability to use various channels.

For instance, older generations are sometimes more comfortable completing a transaction through a call-centre than online. Nevertheless, this abundance of choice – and the accompanying assortment of authentication methods – can quickly become the source of friction. As the saying goes, ‘too many cooks spoil the broth’.  

To provide consumers with a streamlined experience, financial institutions need to offer an integrated solution with a consistent user interface. By implementing the same authentication technology across all channels, banks promote users’ muscle memory, as well as nurturing a sense of comfort and convenience. This not only helps to reinforce customer expectations, it also instils greater confidence in those interactions. 

The key is to first secure the channels by establishing a unique device identity, for example through digital certificates, device fingerprinting or a web-based cryptographic binding technology. From the data collected from the device, a bank can assess the risks involved and adjust the authentication process accordingly.

If the risks are low, customers can continue the transaction without any friction. If, however, there is something out of the ordinary, like a request being made outside the country from an unknown device, a bank can step up the authentication and ask for some additional form of identity verification. Specifically, a secure smartphone-based banking app could be used to offer a one-touch feature for confirmation. 

Integrating the various channels available, and streamlining the interactions between them, means consumers are more likely to notice when something is amiss. Anything that diverges from the expected experience can be flagged as a possible fraudulent attack, prompting the consumer to react appropriately, thus keeping fraudsters at bay. All in all, as customers come to trust the simplified experience and appreciate the convenience of omnichannel, they are likely to transact more and opt into more of the financial service’s products.

This latest revolution in the financial space will no doubt create winners, as well as losers. It is up to organisations to swiftly adapt and innovate, or risk becoming irrelevant. 

Frans Labuschagne, country manager, UK and Ireland,  Entersekt,


Pre-registration now OPEN for FinCrime World Forum

Taking place on December 1st 2020, FinCrime World Forum, a GRC World Forums initiative, is a virtual conference which will attract an audience of senior decision makers seeking; information, advice and guidance.

FinCrime World Forum will feature leading subject matter experts and thought leaders and won’t just be a series of Zoom presentations.

Learn More and Register