Will Open Banking lead to the Next Wave of the UK's Fraud Epidemic?

As Open Banking (OB) in the UK prepares to accelerate, have the fears around security and fraud risks gone away? When OB launched to great fanfare in 2017, there were concerns from banks about the security and fraud risks - have these materialised, been mitigated or do they remain, lurking in the shadows?

When OB launched in the UK it was meant to revolutionise banking, opening up the big banks to competition from fintechs and new payment service providers (called TPPs in OB terminology). But progress has been slow, and the flood of OB services we expected has been more of a trickle. So much so that the Competition and Markets Authority (CMA) that set up OB in the UK has run out of road and the CMA are looking to the banking industry to take this forward.

While the big banks were initially fearful of the risks from OB (losing market share and customers to new service providers, as well as the security risks from allowing 3rd parties to access to 'their' customers' accounts), the slow take-up has given them time to get their defences in order.

Now the big banks are more comfortable with OB and see an opportunity - so much so in fact that UK Finance has drafted plans to open up further and include Open Finance (bringing additional accounts and services into scope) and Open Data (enabling data portability for more tailored services). 

One of key challenges that has limited the success of OB is the security requirements (meaning the customer is passed from the fintech service provider to their bank to undertake Secure Customer Authentication), while another is the lack of consistency across different regions (OB in the UK is a different flavour than in Europe, and other regions are also ploughing their own OB furrow).  

A number of fintech service providers have moved in to fill the gaps and overcome the inconsistency and complexity (building all the plumbing to allow access to banks across multiple regions - then charging other fintechs for access) - but this is not the easy and open access envisaged.

Risks remain for the banks. While the flood of fraud and criminal misuse of OB hasn't obviously materialised (there is no published data that identifies fraud through OB) it doesn't mean it won't happen in the future. In truth, OB doesn't create new fraud risks, but it creates new opportunities and variations for fraudsters to adapt and execute their methods. The fraud risks mainly relate to fintech service providers' ability to initiate payments and 'pull' funds from the customer account at their bank. The main fraud challenges with this scenario are: 

1. Account Takeover, where fraudsters use compromised credentials to access existing customer account and initiate unauthorised payments ('pulling' the funds via a fintech service provider); and
2. Payment Scams, duping or social engineering the customer into authorising payments for illegitimate purposes (again, 'pulling' the funds via a fintech service provider).

These fraud scenarios both use a fintech service as a 'money mule' to move funds and 'cash-out' elsewhere, beyond the reach of the bank. When OB launched, there were real concerns that fintechs would have less robust KYC and fraud detection capabilities, leaving themselves and the counterparty bank exposed to fraud.

It is worth noting that these fraud risks already exist for banks, but OB provides a new channel through which attacks can be initiated. Rather than fraudsters trying to gain access to a victim's account and funds via the bank's online or mobile banking platform, they sign-up and use a fintech service to access the victim's account via the OB 'channel'. In this way, the fraudsters can effectively split the payment initiation (which would normally happen in the bank's online or mobile platform) from the payment execution (which still happens via the bank's systems), meaning the bank has less visibility of the end-to-end payment journey and less data on which to make a fraud decision.

How do banks protect against these risks?

First and foremost, by requiring the customer to authorise the payment.  There are variations in approach but in most cases, the customer is redirected from the fintech site to the bank site to undertake customer authentication and authorisation. 

Secondly, by having real-time transaction monitoring that utilizes behavioural profiling and adaptive machine learning. Although in the OB payment journey, there is limited interaction between the customer and the bank, so there could potentially be less data about the device used by the customer, their IP address and geolocation, and less opportunity to identify behavioural anomalies.

As more fintechs service providers use OB payment processors, this can further obscure the payment activity from the bank, limiting the bank's ability to assess the risk based on historical behaviour and fraud patterns where multiple services are 'bundled' through a single OB processor.

All these elements add to the challenge for a bank and mean rules-based or static model-based transaction monitoring will struggle to identify new fraud attacks through the OB channel. Adaptive machine learning models can help to fill this vacuum, where they can quickly recognise and learn new suspicious behaviours.

With the next phase of OB on the horizon, there will be more services and further opportunities for fraudsters. Banks should have used the slow pace of OB service take-up to recognise the threat and improve their fraud defences - but have they?  As Warren Buffet once said "It is only when the tide goes out do you discover who's been swimming naked"