4 Ways Open Finance Uplevels Security
August 28, 2023 | 2 min read
Our recent webinar with David Whitcomb, VP of Product at MX, and Ron Shevlin, Chief Research Officer at Cornerstone Advisors, generated tons of questions from our audience about Open Banking and data aggregation. Answers to each question are below. You can also watch a replay of the full 5 Questions in 25 Minutes With Cornerstone Research webinar.
Do you see banks embracing or shunning Open Banking? If so, why?
Whether a bank embraces or shuns Open Banking depends on the institution and its definition of Open Banking. From an MX perspective, Open Banking is based on these guiding principles:
This requires new financial infrastructure, like APIs, that enables secure, standardized sharing of financial data between providers based on the consent of their mutual consumers. With access and portability, consumers become decision-makers with the ability to connect to a broader range of financial products and services. This breeds choice and optionality, which leads to a more open, competitive marketplace.
In a closed financial system, only a few win. Everyone wins in an open financial system, including incumbents and traditional financial institutions. An open data ecosystem empowers incumbents and traditional financial institutions to retain consumer relationships, reduce costs and risks, generate new revenue and profit models, and improve user experiences.
Are you seeing improved account linking rates from where we were 2 to 3 years ago?
As Ron Shevlin shared, there are improved account linking rates compared to 2 to 3 years ago. But unfortunately, the industry is still not where it needs to be.
While the industry has made great strides around Open Finance, which directly impacts account linking rates, the transition from legacy technologies to newer technologies such as OAuth and Direct APIs is essential to improving account linking rates in the long run. Direct, tokenized connections will improve account linking rates while simultaneously delivering a more engaging UX and reducing risk.
How can community banks and credit unions influence their core processors to enable Open Finance? How can vendor partners assist?
It starts with a conversation. In your quarterly business review, CAB meeting, or bi-annual roadmap review session with your core processor, present the problems faced by your end-users. Aim to ensure everyone at least understands and agrees with the problems (and priority of the problems) that need to be solved.
Collaboration and alignment with other community banks, credit unions, and shared technology partners is a powerful way to gain buy-in and alignment - and ultimately, influence your core provider's roadmap.
How does the MX platform permit the ability to assess financial health? Does the platform have APIs that permit access to the data from MX, or does the platform have dashboards that permit visual representations of this information?
Assessing financial health is dependent on three things:
Through its aggregation technologies, MX provides organizations and their consumers with consistent, secure access to all of their financial accounts in a single location. This establishes the foundation to access the financial data needed to assess financial health.
While an organization may have access to all of its consumer's financial accounts and data, data without context is meaningless. MXdata cleanses, categorizes, and adds proper context to consumers' financial data to deliver value and insights to organizations and consumers.
After establishing the essential foundation needed to assess financial health, MX can return this data to an organization through its APIs. We can also display it through one of its multiple pre-built dashboards that deliver personal financial management, predictive financial guidance, and financial wellness capabilities that translate data into actionable insights.
What role do credit cards and debit cards play in aggregation?
From an MX perspective, we provide the connection layer of banking APIs that bring together backend systems — e.g., cards, core, documents, checks, and more — helping clients create intuitive and seamless experiences across the entire consumer journey.
Will FedNow speed up the adoption of Open Banking for the U.S. market? It seems real-time payments augment data value exchange.
In short, yes. Quick, reliable access to financial data is one of the foundations of Open Banking. Technologies such as OAuth and Direct APIs will be essential drivers in providing access to such financial data. The key is what can be done once given access to this data. If speed increases but the actionability of the data stays stagnant, the true impact of real-time payments will not reach its full potential. For real-time payments to truly impact the adoption of Open Banking, it is key that the data is both accessible and actionable.
How do you evaluate an API’s security level, that is, the ability to protect against attacks?
Most cybercrime isn't the result of sophisticated man-in-the-middle attacks. Instead, scammers trick people into giving them credentials. They rely on a combination of persistence, luck, and the laziness of their victims, who often reuse passwords inappropriately or engage in other risky behavior out of a desire to save time or effort. Modern guidance from NIST and other industry experts now says that people are most secure when you make it easy for them to be secured.
That's why OAuth connections are so crucial to not just customer experience but security as well. Removing credentials from the equation is the number one thing institutions can do to reduce the risk of cyberattacks.
The only type of attack most aggregators are truly vulnerable to is a specific type of fraud called Credential Stuffing, where an attacker takes thousands of credentials from a data breach outside of a financial institution and then uses an aggregation service to see if someone reused their compromised credentials for online banking. Once they get a hit, they can more precisely target a victim and drain their bank account. Removing credentials effectively removes that single vulnerability.
Could MX be viewed as an "aggregator of aggregators?" (i.e., does MX connect to other aggregators in the space to maximize connectivity/coverage?_)
When we started, MX did have a multi-aggregator approach. However, today, we are the industry leader in direct API connections — with secure and reliable connections to some of the country's largest banks. Our short- and long-term technology strategy is rooted in modern, direct-to-source relationships and connections.
Our industry-leading connections provide access to tokenized, credential-free API connections built with the highest security and industry standards, so our clients can build consumer trust and loyalty. Our open data ecosystem spans 13K financial institutions and more than 200 million consumers.
What technology is best suited for good APIs? What do we look out for?
The most obvious factors are coverage, reliability, and user experience.
When discussing coverage with vendors, ensure you understand how the vendors measure coverage. Ninety percent coverage of financial institutions is very different from 90% of all deposit accounts. Ask questions to learn more about how a vendor defines those numbers before you come to a final judgment.
The other two factors — reliability and user experience — are closely related. It would help if you were looking for connections with little downtime, short wait times, and ones that don't constantly need credentials or multifactor refreshed by your clients when they're trying to use it. Long wait times, broken connections, or continually having to re-input credentials can lead to poor user experiences and worse adoption of your APIs. When considering reliability and user experience, you have to realize that even if you're very up-front about the fact that you're using a third party, your clients will inevitably blame you if they have a bad experience.
Do data aggregation vendors typically have contractual permission from the financial institution to use the end-user data for other purposes beyond those of the financial institution?
This varies by data aggregation vendor. It is preferred for there to be an established, cohesive relationship between aggregators and FIs that benefits all parties involved - the aggregator, the FI, and most importantly, the consumer. The details of these relationships can vary from aggregator to aggregator, and the context in which end-user data can be used can also vary. This can extend from selling anonymized consumer data to third parties to strictly using consumer data for the FI involved.
Consumer privacy, convenience, and agency motivate fintech adoption by consumers in P2P, wallets, etc. These are used by illicit actors as well. Can you describe how these technologies enhance or obfuscate illegal activities? What transparency and accountability do fintechs provide FIs as "black box" solutions seem to induce risks to FIs in the regulatory space?
Regarding risk management, let's return to the closed system approach based on keeping data within a secure institution. This has been a good thing in the context of cybersecurity, and banks are generally excellent at safeguarding NPI from hacking attempts and other vulnerabilities. Now, technology has evolved to the extent that fintechs and aggregators can provide that same level of cyber resilience, including scrutiny over the security of their partners' source data systems. Furthermore, fintechs and FIs are increasingly outsourcing cybersecurity and other core business functions to TSPs.
As cyber moves more off-premises and towards SaaS-based solutions, the 'keeping data in' approach becomes obsolete. Because nonbanks can now provide bank-like security and even utilize the same TSPs as financial institutions, they must be compelled by the same risk management rules where activities align. This is why we advocate for direct federal oversight of nonbank actors and reforms to Reg E that impose common sense liability mandates.
Simultaneously, as Open Banking and Open Finance become more mainstream within the market, the technologies and practices associated with them provide greater protections for consumers and the FIs with whom they have relationships. For example, MXaccess enables consumers to dictate who has access to their data and when. MX's APIs will only access the data necessary to execute the job and not any additional information. Illicit actors will evolve simultaneously with the industry, but as technology and necessary federal oversight progress, risk will continue to be reduced.
Suppose the bank provides more data than necessary (doesn't have throttling capability) and expects the aggregator to manage to the scope of the user consent. How do you view the aggregator's responsibility toward consumer privacy?
At MX, we see Open Banking and privacy as intrinsically combined. New privacy methods must reflect the realities of the digital age and consumers who want privacy and expect personalization. The 'how' comes back to our open banking principles. First, individuals own their data. Second, they have the right to share it with third parties. Open Banking actualizes these principles through networks of permissioned sharing over secure connections. To MX, the new definition of "permissioned" must be a dynamic, multi-pronged approach that accounts for the complexities of the data ecosystem. This includes an individual's right to:
Because Open Banking is the financial infrastructure of the future, innovators have an incredible opportunity to employ privacy-by-design, incorporating ethical data principles through privacy-preserving technology at the foundation. At MX, this is part of our moral imperative, but it also serves as a strategic one.
Competition is a critical benefit of Open Banking. Soon, a company's privacy policies will emerge as a market differentiator. This is for two reasons.
In addition, Open Banking with standardized data sharing and enhancement can produce clean, complete data sets and actionable insights. This impacts privacy by prioritizing quality data over quantity, which has natural, positive impacts on data minimization.
When assessing data providers from a privacy and consent perspective, MX only collects data that has been permissioned. In addition, we perceive ourselves as a steward of the data on behalf of the client. With industry lawsuits resulting from accusations that data utilization was outside of the scope of user consent, it is crucial to understand what is being collected at the point of user consent by your data partner, as well as the data partner's data storage and security policies.
How does a financial institution measure return on investment (ROI) for integration/aggregation costs?
Financial institutions experience positive ROI when they work with aggregators such as MX to improve the data sharing experience. By whitelisting an aggregator's IP addresses, or by developing or purchasing an API for aggregators to connect to, they can provide their customers with a faster, more reliable connection experience which helps with customer retention. These secure require fewer server resources (cost-saving) and enable a bank to focus its security efforts on real cyber threats.
What's the difference between Open Banking and Open Finance?
Open Finance is the next step beyond Open Banking, enabling access and sharing of consumer data to even more financial products and services — not just banking. This includes loans, consumer credit, investments, and pensions. It also enables broader integration of financial data with non-financial industries, such as healthcare and government.
In Open Finance, consumers grant trusted third parties access to their financial footprint for better experiences and personalized solutions to improve financial wellness.
What is the role of standards like FDX in driving open banking adoption and growth in the U.S.?
MX is a member of the Financial Data Exchange (FDX) and FDX Board of Directors. FDX is an industry nonprofit with a diverse membership, including FIs, fintechs, and aggregators. Its API standard is a secure, transparent consumer-first approach that, importantly, supports interoperability through broad migration of the industry to a common standard. Interoperability is essential to realizing the potential of Open Banking (e.g., full access to data for the consumer, secure, seamless connectivity, and a level playing field for smaller institutions to utilize innovative solutions).
August 28, 2023 | 2 min read
August 7, 2023 | 4 min read
June 30, 2023 | 4 min read