Fraud and Security: Is Open Banking Creating New Challenges?

By Helen Child, Founder, Open Banking Excellence (OBE)

Fraud. A provocative word and an issue that affects us all, both at home and in our commercial lives.

A report published by our friends at UK Finance has revealed how cybercriminals have shifted their focus, eyeing up consumers and their personal and financial data.

Losses to authorised push payment (APP) fraud, where the victim is tricked into making bank transfers to an account posing as a legitimate payee, overtook card fraud for the first time in H1 2021. UK Finance recorded a staggering 71% increase in APP fraud, with losses standing at £355.3 million, compared to £261.7 million from card crime.

At Open Banking Excellence (OBE), we seek to promote knowledge sharing, new thinking and partnerships within the financial services industry as we all move towards a transformative Open Finance model. Our members asked us to host an OBE Campfire examining the hot topic of fraud and security, and we were happy to oblige. Talking about it keeps it front of mind and helps us all to take five to stop fraud.

For the Campfire – superbly hosted by Ali Paterson, Editor-in-Chief, Fintech Finance – we gathered a panel of world-renowned experts to share insights and opinions on this critical subject.

Recognising a growing threat

Fraud will continue to rise, and it’s something the industry needs to tackle head-on. We were joined by Michael Huffman, Director of Fraud at GoCardless, who broke down the multi-layered issue of payment fraud and the spectre of more bad actors entering the arena. He has also written a great blog for OBE, looking at how to prevent payment fraud to enable organic growth.

“We’re moving into a more difficult economic environment that will cause individuals who wouldn’t have turned towards fraud to start seeing it as a mechanism to increase revenue,” said Huffman. “When it comes to Open Banking, the US is obviously lagging a bit behind, but I do believe there’s a rich amount of data and information that can be made available to give our merchants and their customers more security.”

Mike Haley, CEO at Cifas, the UK’s fraud prevention agency, was another panellist and exclusively revealed some shocking figures. “We’ve seen in the first five months of this year that identity fraud has increased by 39%, whilst facility or account takeover has increased by 109%, mainly hitting the telecoms and online retail industries. And false applications for bank accounts are up 59% – these are startling figures for us. With Open Banking, there are opportunities to contribute to reducing fraud through mechanisms such as being able to check bank account information to verify identities.”

“The big issue for me is data disclosure,” added Brendan Jones, Chief Commercial Officer, Konsentus. “If these criminal organisations get account information, it becomes invaluable to them and gets resold on the dark web. Open Banking has been a success in the UK as a result of how much effort was put into the standard, but there’s a European continent sitting there that’s using many different specifications. There isn’t the conformance testing to see how well it’s been implemented, so I think the regulatory umbrella needs to widen as we move towards Open Finance.”

Assessing the challenges and opportunities in an Open Banking environment

With APIs, encrypted data transfer and reduced information sharing, security is at the core of Open Banking. However, as the ecosystem grows, it’s inevitable fraudsters and scammers will present new challenges for the financial industry. Paterson probed our panellists: “Is Open Banking fool-proof and secure when it comes to leaks, hacks and fraud, or are there limitations?”

“We need to look at the wider context,” said Haley. “I don’t think Open Banking has created any new fraud typologies but it has increased what’s known as the attack surface; the number of entry points for fraudsters to try to get into the system to initiate a payment, or to intercept personal information.”

“Open Banking isn’t a silver bullet to solve fraud,” added Chris Michael, CEO and Co-Founder, Ozone API. “But it does a number of things very well, depending on how well it’s implemented.”

“In the UK we put a lot of effort into designing a secure trust framework. We were helped by regulatory requirements. In the EU’s regulatory technical standards, for example, there are some good principles around secure communication and strong customer authentication, designed to ensure only regulated actors can access bank accounts. We’ve got some really good building blocks I think we should now add to, looking at how regulated parties can be involved in the flow of data, how they can parameterize consent, and how they can provide better outcomes for customers.”

As Huffman also pointed out, implementation of the Open Banking standard is critical to the protections put in place. If done correctly, Open Banking offers a number of controls to fight fraud, but there’s another important element to consider – due diligence by the consumer.

Exposing the weakest link

“Over the last year, we’ve seen a shift from unauthorised card fraud to APP scams,” explained Haley. “I put that down, in part, to the success of security in design, which means the weakest link is now the customer, and them pushing out a payment.”

“Consumers need to be diligent because you can’t legislate against a lack of attention,” said Jones. “There’s some layers of protection, such as Confirmation of Payee (CoP), but ultimately people need to be careful and take some ownership, especially when it comes to payments.”

“CoP will reduce the misdirection of funds, but not APP fraud,” added Michael. “APP fraudsters are clever. They create accounts that look and sound like a real person and the name of the account will match the sort code and account number. So all CoP will do is give consumers false confidence they’re paying the right person because they get that green tick.”

“There’s a trick I use if I’m making a payment for a large amount. I first pay someone a penny by Faster Payments, to make sure it’s the right destination. I then set them up as a beneficiary when I know they’ve got their penny. I think that’s something Open Banking could better address, so I’d encourage fintechs to build a slick PISP [Payment Initiation Service Provider] flow to do that.”

Despite this sobering discussion, as an industry we’re in a very good place, with the Open Banking Implementation Entity (OBIE) recently announcing the UK has reached the milestone of one billion API calls a month.

The fact we can have this conversation serves to underwrite the maturity of our sector. Open Banking is built on a strong security model – a trust framework. It’s rooted in democratising data and people giving their consent to securely share that data. When it comes to fraud and financial crime, let’s leave competition at the door. We’ve got a common enemy, so let’s share data and intelligence and help to educate consumers.