Preparing Your Organization for Success with PSD2 and Open Banking

By Brian J. Costello, Chief Information Security Officer, Envestnet | Yodlee.


UK Open Banking and the Revised Payment Service Directive (PSD2) are transforming the world of banking. As of January 13th, UK banks are now required to enable their customers to give permission for the use of their account data to third party providers. While the regulatory mandate is primarily to drive innovation and competition in financial services, consumers will also benefit from access to personalized data-driven insights, advice and services to help them achieve their financial and, ultimately, life goals. Understanding and embracing this new business model is critical for retaining and growing a financial organization. However, for both Open Banking and PSD2 to be successful, regulators and financial service providers must be transparent in their measures to safeguard data in order to protect consumers. With the move toward a more open banking model, the ongoing challenge will be how to enable online and mobile banking services powered by intelligent platforms, while also protecting the security and privacy of customers’ data and adhering to strict regulatory and legal requirements.

Leveraging dynamic, cloud-based innovation for digital financial services, we know that the adoption of consumer-permissioned data sharing first requires attention to three top security, privacy and regulatory considerations. Financial institutions and responsible fintech companies should be thinking about and starting to implement these now, as the industry continues to move toward a more intelligent banking ecosystem.

1. Understand Your Requirements

When moving toward a more open, holistic model, centered around the consumer’s permission to access and share their financial data, it’s imperative to organize the safeguards and governance by which the entire ecosystem abides to ensure consumers have the ability to safely and reliably access any and all of their financial data, empowering them to reach their financial goals and protect them from fraud and abuse.

As financial organizations begin to implement Open Banking and PSD2, it is each organization’s responsibility to ensure that appropriate security and risk management protocols are in place, with the appropriate physical, electronic, and procedural safeguards to ensure all financial information is protected against unauthorized access or misuse. In particular, pay attention to your data model and how it maps to the standards as well as how your internal data flows interact with the broader ecosystem.

Open Banking and PSD2 are not just about application programming interfaces (APIs). In addition, financial institutions need to assess how their current customer-facing programs for consent, authorization, fraud and privacy are impacted by these new regulations as well as how to promote your brand and value as your customers’ trusted provider. This includes presenting consumers with clear and transparent terms about how and what data will be gathered, used and shared with their permission and which third parties are involved in the solution. It’s also important to provide consumers with as much choice as possible in order to fine-tune their experience, including being thoughtful about how data fields are organized and accessed.

2. Data-First Security Approach

Implementing security around the data, not just the endpoints and connections between them, is the right approach to protect both the consumer and the technology solution. It’s best to start with a data flow risk assessment, identifying all assets within the data and systems involved in the end-to-end solutions, including consumer devices, untrusted networks and third party service providers.

An important piece of a secure system is data minimization — i.e. limiting the data collected from the customer, or on their behalf, to only the data needed to power the use case for which the data is being used — a security principle enforced by governance across data flows, not unilaterally enforced by one party. The technique here, especially in highly innovative environments with evolving data algorithms, is to group similar data elements by category and sensitivity.

With these data flows and models in mind, it’s possible to identify the requirements for layered technical, detective and response controls and update the data flow and model as the service evolves, in combination with current threat intelligence to drive the security roadmap.

3. Consumer Confidence in Open Banking

The world of financial services is constantly evolving, and will continue to do so as we consider the move to open banking and digital payments. The changes are exciting and promising for financial service providers, but along with the changes come key considerations that must be addressed head-on while providing consumers with what they really want in an intelligent banking platform. By keeping privacy and regulatory requirements top-of-mind, financial institutions can not only meet consumers’ expectations, but also build a loyal, trusting customer base.

However you choose to innovate, it is essential to bring security and privacy by design to every stage of the process. Agile methodologies support risk assessments and DevOps enabled deliveries can have security built-in to ensure consistent levels of controls. There is no excuse for not incorporating security, privacy and compliance into every aspect of your solutions. Your customers deserve it.

Related reading