Open Banking raises fraud liability concerns

Banks and third-party providers may suffer from ambiguity in fraud accountability, according to members of the Open Banking scheme.

Rachel Gentry, information security and counter fraud consultant at Open Banking, said that the liability in open banking fraud always lies with the bank.

“I can appreciate that that is not always where the fault lies, but from a reimbursing the customer perspective – it’s with the bank,” she said during a panel at the Open Banking Expo in London on November 13.

“I think liability is a really tricky topic. It’s tricky at all stages, in all journeys.”

While culpability for banks is clear in Open Banking’s protocols, there is ambiguity surrounding the way banks and third-party providers (TPPs) may deal with fraud claims moving forward.

“Should an unauthorised transaction be facilitated through Open Banking, the initial liability is taken solely by the bank that was used to fulfil and execute the payment,” said Dan Standish, Santander UK’s head of future fraud strategy, in an email. First party fraud, however, is excluded from this culpability.

“While there are grounds for the bank to pursue a claim against the TPP that was used to initiate the payment request as part of the redirection to the bank, proving the TPP was at fault can be difficult,” said Standish.

Santander is one of the UK’s nine high street banks required to support Open Banking, joining RBS Group, Barclays Bank, HSBC Group, Lloyd’s Group, Nationwide, Danske Bank, Bank of Ireland, and Allied Irish. Challenger banks Starling Bank and Monzo have opted into Open Banking.

“If a customer suspects fraud we would raise this with the partner and evaluate whether the partner has breached their obligations,” said Anna Mitchell, head of Starling Bank’s Marketplace – the space Starling’s app that provides access to TPP services – in an email.

“To date we have never had to remove a partner from the Marketplace but we do conduct annual reviews and should we have any concerns we would terminate the relationship.”

Open Banking was implemented in January 2018 and has often been referred to as a quiet revolution of the banking space. A study by KPMG from 2018 indicated that only thirty percent of SMEs showed a strong appetite for Open Banking, which has lead to slow adoption.

While Gentry stresses that there are no new types of fraud involved within the Open Banking ecosystem, there has been indications from market participants that fraud is growing.

Fraud is greater in open banking than with plastics, said Paul Davis, fraud and financial crime director at Lloyds Banking Group, at the Open Banking Expo on November 13. He attributes this heightened risk to the hurdles of adapting to new technology.

Davis mentioned that all the cyberattacks he’d seen within Open Banking had occurred at registration.

“What we’re finding is fraudsters are making fake registrations of customers who hadn’t or may not even have heard of TPPs, and all of a sudden their bank account is linked to an app they’ve never even heard of.”

Gentry said that Open Banking’s role is to mediate between banks and TPPs in order to spot vulnerabilities.

“The biggest challenge is we haven’t got the data – so we haven’t got enough transactions to know what fraud really looks like to help spot the patterns for fraud engines to be able to do something about it. And we really need to be driving a much more data rich environment to be able to act effectively,” she said.

Related reading