Open banking constitutes a transformative shift where customers can seamlessly explore novel financial offerings from authorized third-party providers. This innovation is facilitated by financial institutions crafting Application Programming Interfaces (APIs) that align with the central bank standards of a country.
When people read “decentralized” and “open,” the first question they ask is: is it safe?
As a pioneer of open finance in Southeast Asia, we at Brankas consider it our responsibility to give a clear picture of the industry’s cybersecurity developments in the region. While it is a complex topic that is constantly evolving as we strengthen the infrastructures, decentralized finance is a far cry from the lawless digital landscape that some people imagine it to be. In fact, the industry is constantly looking for ways to collaborate with governments, non-profits, and financial institutions to make open banking the safest that it can be.
Let’s look at three common misconceptions about open finance security and the real situation behind them.
Misconception 1: The industry is unregulated.
Open APIs streamline the process so that end-users can seamlessly make financial transactions through apps, such as sending money or making payments. The process has been simplified, but that doesn’t mean the regulations and oversight have been skipped. After all, the operations of third-party finance APIs are still subject to global standards and certifications.
Let’s take a closer look at two certifications that Brankas recently obtained and how we implement them in our products and services.
- ISO 27001, also known as ISO/IEC 27001, is an information security standard that certifies that an organization complies with the best practices for information management and safekeeping. Some controls include secure application development life cycle, data protection, resilience against cyberattacks, reduction of information security costs, business continuity readiness, and staff awareness training.
- PCI-DSS, or Payment Card Industry Data Security Standard, is mandatory for organizations that accept, process, store, or transmit credit card information. The PCI security standard has 12 requirements created by the PCI Security Standard Council (PCI SSC). Being PCI-DSS certified means that an organization maintains a highly secure environment when handling payment information, including payment cards and credit cards.
How Brankas implements some of these controls:
- Establishing and monitoring network security through a detailed firewall configuration, oversight of incoming and outgoing traffic, admin access restrictions, and anti-spoofing measures to prevent fake IP addresses from entering the private network.
- Continuous security and applications development such as secure coding practices and regular code reviews.
- Creating and maintaining a Vulnerability Management Program, which regularly identifies network vulnerabilities and implements scheduled penetration testing. Countermeasures are applied as soon as any flaws are detected.
Misconception 2: It’s dangerous for banks to share their financial data with third-party open API providers.
As open banking is still being established in most of Southeast Asia, banks are generally hesitant to share their data, including customers’ payments habits and spending patterns. This is closely tied to the first misconception - third-party API vendors are not regulated and, therefore, can’t be trusted to handle data correctly. Some people even think APIs are potentially phishers that harvest login information for identity theft.
Nothing can be farther from the truth. Our certifications show that the correct handling and transmission of data are essential for global compliance.
Here are some of the ways that Brankas complies with data privacy policies:
- Designated a Data Protection Officer accountable for ensuring data privacy compliance, creating and evaluating data protection policies and its implementation, as well as providing advice on data privacy impact assessments.
- Enforces “data minimisation,” which means we ensure that we only collect and process personal data that we truly need.
- Uses secure protocol while data is in transit (TLS v.1.2 encryption) and while data is at rest (AES-256 encryption), so that the data can no longer be associated with a particular subject without requiring additional information.
- We do not store, process, or transmit Payment Card Industry (PCI) data. However, we implement “least privilege” access controls, which means employees have access only to information or systems applicable to their job function. We perform periodic review to limit system access.
- Uses Multi Factors Authentication (plus integrating it with employee Single Sign-On) to ensure that only authorized persons have access to the system and data.
- Established the incident response process to notify supervisory authorities and data subjects in the event of a personal data breach.
Open API providers are just as concerned with data breaches and cyberattacks, and are constantly working to improve their cybersecurity measures. There has to be a balance where financial institutions can share their data and be assured that they will remain safe. Data sharing encourages innovation and growth. It can lead to a more intuitive, relevant, and resilient financial industry that benefits everyone, especially those who don’t have access to banking.
Misconception 3: The industry is not establishing standardized policies.
While it would seem that open banking policy development in Asia is lagging behind other regions, this doesn’t mean that the industry is not actively mobilizing and coordinating with related organizations to implement and comply with global open finance standards.
Open finance companies in Asia aim to establish a standard similar to the European Commission’s Payment Services Directive (PSD2), which outlines a clear policy on open banking payments and consumer protection (including data privacy). In November 2021, a group of global fintech and security compliance firms, including Plaid, MX, Flinks, and Secureframe, proposed the Open Finance Data Security Standard (OFDSS) framework. OFDSS aims to address the consumer financial data security risks that challenge new fintech companies. In connection with data sharing, the framework assures banks that APIs will protect consumer information. We at Brankas agree that this is a huge step in the right direction.
Aside from supporting open finance security policies, Brankas creates various opportunities to educate and encourage discussions about financial inclusivity in the region. In December 2021, we joined the non-profit Open Banking Exchange (OBE) Asia as a founding member. Already established in Europe, OBE aims to build a community in Asia to help create common standards by sharing best practices and experiences from other regions. Through OBE, Brankas aims to turn regulatory standards into actual operational measures.
Open banking is an exciting development that will continue to revolutionize financial services in the region. There are still challenges ahead, but the industry is committed to partnering with everyone to identify and address all concerns, and anticipate potential growth. The key is to create an environment where stakeholders and thought leaders can freely share their ideas and discuss their challenges. This is the only way we can continually innovate, provide solutions, and discover new opportunities for financial inclusivity.