Combatting fraud in open banking
May 1, 2020 | By Hayden HarrisonHow will we enable the frictionless future of open banking? By effectively combatting fraud and financial crime. But open banking poses new challenges in addition to those the industry has dealt with before, notably the introduction of third-party providers into what has traditionally been a relatively closed relationship between a financial institution and its customers.
While regulation offers some guidance for verifying third parties and transaction requests, it’s far from perfect. Mastercard’s solution, Open Banking Protect (which is enabled in part by Konsentus [1]) provides real-time verification of third-party registration status combined with behavioural fraud monitoring and alerts to protect financial institutions and their customers from liability and loss.
We invited Mastercard’s David Head, Vice President for Open Banking Product Management, and Brendan Jones, Chief Commercial Officer at Konsentus to tell us more. Follow the discussion below.
Welcome, Brendan and David. Let’s start by considering the challenges: What is the risk of fraud and financial crime in open banking, and how does this differ from traditional banking and payment risk?
Brendan Jones, Konsentus: We all know that within the payments industry, new payment methods are vulnerable — let’s call it the soft underbelly for financial crime.[2] Open banking is a relatively new concept, and the ecosystem is just at the start of its journey. Financial criminals will look to exploit any vulnerability until the industry can effectively shut them down.
But the construct of open banking is very different to any of the other mechanisms that are familiar to financial institutions today. In the four-party model for card-based transactions, for example, there are well-established mechanisms for financial institutions to deal with financial crime and resolve disputes. In open banking, these mechanisms are still being established — every participant is learning as we go.
David Head, Mastercard: Financial institutions go to a lot of effort to secure the channels between themselves and their customers, whether that be in a branch, over the telephone, via the internet or using a mobile device — that’s a one-to-one relationship. What open banking then does, is put another entity — a third-party provider — between the customer and the bank, opening up new challenges. Not only does the bank need to understand who its customer is, they also need to understand that this new third-party that’s operating on behalf of the customer is operating legitimately, and that the entity itself hasn’t been compromised in any way.
Brendan: Regulators have taken the view that as TPPs are regulated in their own right, there’s no requirement for them to strike commercial contracts with the banks to access their payment service users’ data. So, banks now face the daunting task of having third-party providers looking to access payment accounts they hold on behalf of payment service users with whom the bank has no established commercial relationship.
How do the risks differ between open banking-enabled payment initiation and account information services?
David: From a customer perspective, the perception of risks between payment initiation and account information services is potentially the opposite of reality. Payment related risk is very tangible — if I’m victim of payment fraud, that’s real money out of my bank account. It’s very easy to quantify what the loss is. However, the underlying payment system already has levels of protection, and the PSD2 legislation ensures the customer will get their money back. Whereas account information… if someone started intercepting your bank statement data every month, and built up that data and profile on you, on one hand you ask, ‘Well, what can anyone do with that?’ But if criminals get access to that information, they can undertake a number of different potentially bigger fraudulent activities. Particularly in the small business market: if a fraudster can see what kind of payments a business makes, and who it usually pays, they can start instigating some really sophisticated attacks.
Brendan: If criminals are in possession of that information, there’s an awful lot of havoc they can wreak. They can use the accounts for illegal activities such as money laundering and receipt of fraudulent funds.
So, what are the challenges when it comes to validating the regulatory status of third-party providers for financial institutions? How do these challenges impact the financial institutions?
David: End customers, to a certain extent, are protected by PSD2 legislation — if they lose money through an open banking transaction the bank is obliged to pay them back. The challenge and the risk then sits with the financial institution. Therefore, it’s really important for banks to make sure they are dealing with legitimate third-parties to determine whether a transaction should be processed or not.
The challenges come in the way the trust model has been built in Europe: each third party needs to obtain a license from a national regulator, and once they’ve got that license they can passport it to a number of European markets.[3] Immediately, there’s a pan-European dimension — you’re dealing with third-party providers whose home NCA could be in a different country and will therefore be operating under potentially slightly different regulatory regimes.
Then, these providers need to obtain an eIDAS certificate (a digital credential) from a specialist Qualified Trust Service Provider (QTSP) to prove their identity every time they attempt to access a customer’s account.[4]
Brendan: The problem with an eIDAS certificate is that it only proves the validity of a third-party at the time of issue, and certificates can last for a period of up to two years. Within that intervening period, many different things could have happened to the regulated status of the third-party.[5]
Then we come to the challenges at an operational level. I, as a bank receive an API call from a third-party in possession of an eIDAS certificate. I then need to establish which QTSP issued that certificate to the third-party in order to validate its true identity with the QTSP in real-time. There are approximately 90 QTSPs across the whole of the European Economic Area (EEA).
Secondly, and perhaps the most complex part of this, is that the only legal system of record of authorisation for a third-party provider is its host National Competent Authority — of which there are 31 across the EEA. It’s difficult for a bank to reach out to 31 National Competent Authorities in real-time: All 31 NCAs, across the 115 registers maintained, run on different technology stacks; the information presented is not standardised or consistent, and there’s often duplication or information missing.[6]
I imagine the complexity and risk of error when checking the regulatory status of a third-party provider negatively impacts the experience of the end user wanting to use the service being provided, and any legitimate third-party provider that is wrongly red-flagged…
Brendan: You raise a good point, and the regulation is very specific about this: when a user accesses a service that is provided by a third-party, it must be consummate with the service they would receive if they were accessing the financial institution directly —there must not be additional latency in the process. If banks aren’t performing to the minimum service level agreements (SLAs) required, then the third-parties have a right to complain to the regulators of the detrimental impact on their business.
Brendan, you’ve said previously that Konsentus spent three and a half years developing its solution before bringing it to market, and that for the first six months everyone you spoke to about it looked at you like you’d “just got off a spaceship.” Tell us more… why didn’t the industry recognise these challenges, and how did you educate them otherwise?
Brendan: When regulation drives change there are many unforeseen consequences, for example: National Competent Authorities not having a responsibly to update QTSPs and vice versa. As with all legislation, the devil is in the detail: it’s only once you start implementing it that you uncover bumps in the road.
Our mission has been one of education, education, education - to inform participants in the market of the issues and challenges they face from a regulatory perspective, and the ‘what if?’ scenarios if things go wrong. As David mentioned earlier, liability resides on the banks’ shoulders — if an end user complains about a fraudulent transaction, they complain to their bank rather than the third-party, and it’s the bank’s obligation to repay any funds lost.
Thankfully a lot of banks are looking to embrace open banking, and see it as an opportunity themselves to act as third-party providers or commercialise open banking APIs, but in the early days there was a lack of understanding — only education has been able to overcome that.
David, when Mastercard was looking to develop its product strategy for Mastercard Open Banking Solutions™, we conducted research with financial institutions to help us understand their challenges. What did we find?
David: We spoke to forty or fifty financial institutions around Europe about open banking, and the consistent number one concern was fraud risk and security. It was clear they felt that the legislation was stacked against them: how should they manage their risks accordingly? It’s a very complicated market, and what the banks were looking for was a solution that made it easier for them to meet their obligations.
We built our Open Banking Protect solution with the banks in mind: Giving them greater confidence that the third-party that’s knocking on their door asking for access to their customer’s data or to make a payment on their behalf is actually who they say they are, and that there’s no evidence they’ve been compromised.
So, how are we doing that then? What is Konsentus’s solution and how does it enable Open Banking Protect?
Brendan: We recognised early on the complexity of checking the regulatory status of a third party: having to reach out to more than 70 QTSPs and 31 NCAs (with over 115 registers) in real-time.
We had a vision to deliver confidence in open banking, and do that by taking away the complexity and the heavy lifting from our customers — the banks. We developed a software-as-a-service (SaaS)-based solution in the cloud called Konsentus Verify, which helps protect financial institutions and their customers from the risk of fraud in open banking. It works by consolidating multiple databases and registers: collecting data from all the QTSPs and all the NCAs across the EEA, along with the two European Banking Authority registers, into a master system of record. We maintain a one-hour service level agreement during normal working hours to check the regulated status of third parties with the relevant NCA; any change is quickly reflected in our master data set.
It’s an online platform that can be consumed in real-time to verify the identity of the third-party provider and positively check the authorisations that the third-party holds at that particular point in time to help the bank to decide whether or not to proceed with a given transaction.
Its underpinned by an immutable audit log, so every action and activity that takes place within the system is stored and available for our customers to access at a later date in case of dispute. This allows the bank to conform with the requirement of Article 26 Traceability of the Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Communication.
David: There were two things about Konsentus that made it a natural choice to enable Open Banking Protect. First, as Brendan has demonstrated, when an ecosystem is this complicated you have to understand it really well: Konsentus understands what the risks are; what the gaps in the models are… we’re working with a partner that has the expertise.
Second, the solution Konsentus has developed makes it easy for customers to undertake open banking transactions with as little friction as possible. That frictionless experience is what Konsentus Verify helps us provide via Open Banking Protect, and do it faster and using more up-to-date information than any other solution in the market.
Brendan: Konsentus is a very focused and specialised organisation. We deal with the complex issues of identification and regulatory authorisation status within open banking. What was exciting for us… Mastercard had identified quite early on the opportunities that open banking was going to bring its bank customers. The partnership with Mastercard has enabled us to provide these critical services that broaden the Mastercard offering to its clients.
Let’s broaden our consideration to other financial crime risks that might exist in the open banking ecosystem. How can we solve them?
Brendan: The ecosystem is just at the start of its journey, and every participant is learning as we go. There's no doubt that there will be threats in the future; we still have fraud in established channels today, and it would be naïve to think it wouldn't impact open banking.
David: What we’ve identified so far is the risk that the third-party is unauthorised to access the user’s payment information… The other risk to banks and their customers is that the third-party itself has been compromised, either internally by a bad actor or if they’ve been hacked in some way by an external agency. That’s what the second part of Open Banking Protect looks to do. It asks, ‘What are the clues a third-party has been compromised?’
We leverage the capabilities of our NuData business to build up a picture of what normal behaviour looks like for a given third-party. If we see changes in its behaviour — if it starts putting in more requests, or different types of requests; if the transaction amounts suddenly vary significantly — we alert the financial institutions to a potential breach of that third-party so they can respond accordingly. It helps them prevent fraud or loss of funds before they occur.
What is the role of security in growing adoption of end-user trust in open banking?
David: Security is fundamental. At the end of the day, open banking is dealing with people’s money and data; it’s all predicated on a trust that that money and data will remain safe. If open banking is discovered to have flaws, if money disappears from people’s accounts or if their data gets leaked, people won’t use it. All the benefits of open banking will be destroyed.
Brendan: The UK is proving to be a great barometer for what open banking can be. Back in January 2018, there were something like 2 million transactions a month; in March this year, we’re at 409.5 million.[7] The UK now has over 169 authorised third-parties, with at least another 200 in the process of being approved by the UK Financial Conduct Authority
The transaction volumes represent approximately 2 percent of the UK's banked population: about one million users engaging in open banking services. And they probably don’t even know they’re engaging in open banking services — they just know there’s a new service they’ve signed up to and it’s delivering value.
Security is fundamental — trust has to be developed and maintained in the open banking ecosystem to ensure that payment service users, whether they be consumers, small to medium enterprise, or big businesses, actually engage in using these services and that we don’t end up with a white elephant.
The vast majority of services coming to market are centred around account information rather than payment initiation — will one prevail over the other?
Brendan: We’re always in danger of looking at Europe as one homogenous block, when it’s far from it. The EEA is comprised of 31 member states and the preferred payment method from one country to another can be quite different: here in the UK, for example, we’re a very card-based payment oriented society, especially for eCommerce and in-store point of sale; in other countries like the Netherlands, payment initiation from a bank account is much more commonplace — so open banking-enabled payment initiation services have a much lower barrier to entry.
In mid-2018, Accenture put out a report that predicted that by 2025, at least 30 percent of card-based traffic could move onto open banking rails because of the benefits to merchants of using these new payment types. Open banking is an evolution, not a revolution — we’re only at the start of the journey.
Looking forward, what are your future hopes and predictions for open banking? What are the future challenges, and how might we overcome them?
Brendan: The whole point of the regulation was to foster competition and innovation in the market, and to deliver better financial outcomes for payment service users. If those two things can be achieved, then the regulation has been regulation for good.
I hope, and we’re already seeing moves towards this in both the UK and in Europe, to see a move towards open finance — savings, mortgage and trading accounts, insurance etc. — giving people a much better view of their financial position and access to better deals and so on. And further, to open data: Big tech companies are sitting on a wealth of data — that’s people’s data, and if they want to share it with other providers they should be able to.
David: Open banking is almost here to stay. Already customers are seeing the benefit of having all of their accounts in one place; a lot of lenders are using open banking to make better and faster decisions for their customers. We’re seeing the real benefits of open banking coming through.
The ultimate challenge is making sure that there are compelling propositions for both customers, banks and third-parties to build, and it’s a balanced ecosystem in terms of risk and reward. If people are making their data available there’s got to be something in it for them.
Underpinning all that, it’s pertinent for this conversation, is that it still has to be secure. If there’s more data available and more things to do with it, then the sophistication of fraudsters will increase. We’ve got to make sure we’re keeping the fences as high as possible.
Brendan: From Konsentus's perspective, and that flows through to our partnership with Mastercard, as new verticals come under the regulatory umbrella, then the new databases that will need to be accessed to collect data from will be in scope of our service and we will broaden our solutions accordingly.
Any final thoughts?
David: It’s been an exciting journey so far. Mastercard is tackling open banking by bringing its existing strengths and assets to work in partnership with all members of the ecosystem to drive a greater number of better, more innovative answers and solutions. We look forward to working with Konsentus and, growing our strategic partnership with them and other specialist technology providers, to do even more of that in the coming years. Forming strategic partnerships is at the heart of what Mastercard does to deliver value for our customers, and in a new area such as open banking they are vital if we want to deliver the best solutions.
Brendan: Open banking is about collaboration; it’s about partnership, and it’s about organisations coming together to collectively deliver greater solutions to the market than any one organisation alone.
[1] In June 2019, Mastercard led a multi-million-pound pre-Series A funding round in Konsentus
[2] Akamai recently reported a four-fold increase in fraudulent API calls by organisations illegally attempting to access account data over a period of six months in 2019. Most of these were using a technique called credential stuffing whereby fraudsters obtain information from other sources and try to use that to access payment service users’ bank accounts to commit fraud, money laundering and so on.
[3] Passporting allows a firm registered in the European Economic Area (EEA) to do business in any other EEA state without the need for further authorisation from each country.
[4] An eIDAS certificate includes details of the services a third-party provider Is regulated to provide (i.e. the data they’re allowed to access and for what purpose), and the jurisdiction(s) they’re regulated to operate
[5] If there is a change to a third-party’s regulatory status, there is no legal responsibility for the National Competent Authority to inform the QTSP that there had been a change, and arguably, the NCA might not know which QTSP had issued the certificate for the third-party provider. Likewise, there is no legal requirement for the QTSP to monitor the National Competent Authority databases on a regular basis to ensure there has not been a change.
Read Konsentus’ white paper entitled 'Understanding the data and overcoming the issues’
[6] A prime example would be a third-party provider operating in Germany. The German bank would have to refer to the UK’s Financial Conduct Authority, but the FCA doesn’t publish whether a third-party is authorised to operate under passporting laws — that information is only available at the European Banking Authority level
[7] Source: OpenBanking.org.uk