An organization called the Competition and Markets Authority (CMA), a non-ministerial government department in the UK responsible for strengthening business competition, has mandated that technology be used to give people greater control over their money. One method of this is via Open Banking, where banking is to be conducted in an open modular style, using open source technologies. This means that the nine largest current account providers (known as the CMA-9) will be mandated to make available to authorized third parties the following:
- Standardised product and reference data (such as ATM locations) by March 31, 2017
- Secure access to specific current accounts in order to read the transaction data and initiate payments (by January 2018)—with customer consent.
This involves the creation of secure APIs by the banks that will be able to perform these activities on your account. This will allow third party providers, such as FinTech companies, to be able to write applications that consume these APIs and perform these financial transactions on your account.
Now, I tend to look at such technological developments with two hats on. First, as an Identity and Access Management professional, I look at the security elements. The security around open banking uses the concept of consent, that of delegating authority to perform actions on our accounts to a third party. OAuth2 is a type of authorization protocol used here: it is successfully incorporated into applications such as Facebook to provide delegated authorization. I myself have configured its use within, for example, ForgeRock’s Access Management product OpenAM. I have also worked on an Open Banking project and have been involved in working groups involving the CMA-9, so I know that far greater intellects than mine are involved in making this a success (which should make people sleep a little easier).
But as a consumer, when it comes to technology in my day-to-day life, I tend to be something of a late adopter. This naturally identifies me as being someone who is more risk-averse. That is doubly evident when it comes to my finances. So much of security is based on digital trust (in SAML terms, the exchange of identifying metadata between two parties.) However, outside the digital world, trust is difficult to establish and easy to lose. We rely on our gut instinct, or research, or maybe word of mouth to make important decisions. Therefore, if I see a consent page saying something along the lines of:
“Payment App by Honest John’s Fintech Co. would like permission to make a payment from your bank account on your behalf.
My first instinct in this case is to close the window and reach for my credit card to make the transaction. At least in that case, I will know the parties accountable for making the end-to-end transaction and who is responsible if there is a problem. What if (with my tech head on) this is a man-in-the-middle attack, and I’m about to hand my banking details to a malevolent third party?
Regardless of the plans of the CMA-9 and associated working parties to open up banking to third party providers, I believe it will take more of a concerted effort to convince the general public that open banking will be safe, secure and fit for purpose. I am looking forward to hearing more on this subject from the government in the coming months.