Does Open Banking mean open house for fraudsters?

Does Open Banking mean open house for fraudsters?

Open Banking has come a long way since we first explored it. Are banks really able to fully protect their customers when it comes to Open Banking? 

Marlène Meli – Head of Compliance Practice at Temenos

Open Banking has come a long way since we all explored it at Sibos last year.  It’s not just a focus for European banks needing to comply with PSD2, it’s a global priority as consumers start to expect complete digital transparency in every aspect of their lives.  But are banks really able to fully protect their customers when it comes to Open Banking?

Open banking is hot right now.  Banks across the globe are realizing that it’s not just a PSD2 related activity, it’s an opportunity.  After all, the principle behind PSD2 is to help banks and their customers.  Banks in Europe and elsewhere know that to maintain market share and continue to profit this has to be a priority.  The core objectives of the regulation focus on making cross-border payments as easy, efficient and as secure as national payments, while  facilitating innovative payment services.   In addition, it looks to improve competition by opening payments markets to new entrants for the benefit of user-friendly, accessible and innovative means of payment.  All this while ensuring high security and safety in electronic payments.  However, when we reached out to 200 corporate banks and their customers in October last year, as part of a global survey to ask whether they were concerned that financial crime risk will be higher with non-bank TPPs (third party providers), 67% stated that they either agreed or strongly agreed that there was a higher risk. Why? 

Do more remote channels mean more fraud?

Well, our survey didn’t ask why but I think we can all perhaps guess.  Open Banking will unquestionably increase transaction volumes as consumer banking convenience reaches an all-time high and, by association, this will mean more fraudulent transactions, however the risk is more than just volume related.  The use of new remote channels from TPPs to access customer accounts may increase the risk of unauthorized access and payments initiation. This is because, PSD2 obliges banks to make customer data available in a secure manner to permitted trusted third party providers (TPPs) and therefore by its very nature, enables bank-account aggregation services which are delivered via APIs as well as payments initiation services and payments services. Open banking allows complete new areas of not-seen-before services. For example, when Macquarie Bank in Australia opened its API to its customers in September 2017, it allowed them to integrate their account information with a personal finance software called Pocketbook. This made it possible for the customers to get real-time view of their budgets and manage them properly. Owners of SMEs can also get all their accounts, insurance, loans in one dashboard, without having to feed data in via files.

This single view of all accounts undoubtedly means that users are much more likely to initiate real-time payments because it is so convenient and easy.  real-time payments require fast identification of fraudulent transactions. This is because they are processed as they happen and cannot be reversed – there is no time for manual fraud review steps. Tackling fraud in real-time payments means relying on just historical data alone isn’t sufficient. And with the increase in new schemes without value limits, processing a fraudulent transaction could be very costly.

This issue is huge in terms of retail payments, but when you look at business to business (B2B) payments which tend to be much higher, the impact of fraud in a real-time environment (domestic or crossborder) could be catastrophic.  The  bank business case for B2B real-time payments is really strong; both providing a new revenue stream through fee based services and also enhanced customer service) but without a robust real-time fraud solution to incorrect transactions, there is a danger that these benefits could be quickly turned into damaged relationships through lost funds.

Accuracy is therefore key but so is speed.  Many existing fraud systems have no automated decision workflow and rely mostly on manual review. This makes banks vulnerable to exploitation, hitting banks with a number of sophisticated attacks in short timeframes, e.g. a type of attack that bombards the system, making it hard for a banks fraud department to address the multitude of cases and forcing them to act quickly to both protect their customers and themselves.

It is essential therefore for a bank to have an integrated real-time fraud and anti-money laundering system.  One that has a low error rate, particularly in terms of false positives. Customers using real-time payments expect to see their payments moved instantly particularly when they have a multi-account view.  Frictionless fraud solutions can also increase customers’ level of confidence, when they know that their banks take every effort to prevent fraud.

The authentication challenge (beyond KYC)

Data sharing with TPPs could also mean further vulnerabilities for banks. Authentication methods for validating users and the devices they use for transaction initiation help in fighting fraud, but what can be done when the fraudsters have access to the account?  Can fraud still be stopped before or mid transaction?  Artificial intelligence (AI) hold may hold the answer.  By using an AI-based system that uses sophisticated, self-learning algorithms banks can identify if the individual who is accessing the account is the legitimate owner.  Coupled with expert business rules, suspicious transactions can be blocked based on real-time behavioral analysis.  This approach means that banks can be comfortable in accurately identifying and trapping fraudulent and money laundering transactions as they occur. However, from a transaction fraud perspective this means that the number of fraud cases may increase considerably. 

Opening up to the realities of Open Banking

Demand for financial compliance and the increasing levels and variations of financial crime are putting huge pressure on banks. Their legacy processes have grown so complex with a high level of manual work for screening alerts and other fraud mitigation activities. Each manual step is inefficient and prone to errors. High level of false positive rates exacerbate this problem and can mean that banks face increased recruitment costs to address the issue. These challenges mean banks are facing greater reputational risk, growing fines, costs and losses to fraud. And now with Open Banking it has never been more important to focus on your financial crime systems.

Having a system that uses AI and focuses on real time behaviour analysis is essential. These systems build user and customer profiles to detect and stop suspicious transactions with elements such as unusual amounts, abnormal frequency, suspicious location and transactions to not‑seen‑before business partners. Taking into account elements

such as transaction amount, currency, transaction type and frequency, parameters can be combined and compared to ‘usual behaviour’ or predefined patterns. These elements provide banks with an essential function; the ability to stop suspicious transactions before the funds are moved.  Open banking should not be open house for your enemies; it’s a great opportunity for you to add real value to your customers, now is the time to ensure this  positive change doesn’t become a negative one.

Filed under:

Marlène Meli – Head of Compliance Practice at Temenos