Australian Review Recommends the UK's Open Banking Standards
Last week, I was pleased to see the Australian Open Banking Review team, chaired by Scott Farrell, had released their final report. Commissioned by Treasurer Scott Morrison MP in July 2017, the charter of the review was to recommend a regulatory framework under which an open banking regime would operate and the necessary instruments (such as legislation) required for support and enforcement. It also aimed to recommend the best approach to implementing Open Banking in Australia.
At Ping Identity here in Australia, we welcome the release of this important document with open arms. We believe it will chart a course for secure digital interaction between service providers and application developers well beyond its initial scope of financial services in Australia.
During the review process, Ping's CEO Andre Durand and members of our CTO group met with the Open Banking Review team to relay our experience working on the UK's Open Banking platform and with three of the CMA9, the nine largest banks and building societies in Great Britain and Northern Ireland. Since the official launch of Open Banking on January 13 this year, some major banks have published Open Banking-compliant APIs and fintechs have integrated applications using the standards, to enable secure interaction between their companies.
Our technology was selected by the Open Banking consortium to play a key role in the architecture: it underpins the Open Banking service that manages the registration process and lifecycle for Account Servicing Payment Service Providers (ASPSPs), Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). Our consultants also worked closely with the teams developing the Open Banking APIs and security standards, using their deep knowledge of the OAuth 2.0 and OpenID Connect 1.0 specification, which were co-authored by Ping personnel working with the IETF and the OpenID Foundation.
The Australian Review specifically mentions the UK's work on the EU's Second Payment Service Directive (PSD2) and recommends the UK's Open Banking standards as a starting point for Open Banking in this country:
Recommendation 5.2 - starting point for the data transfer standards
"The starting point for the standards for the data transfer mechanism should be the UK's Open Banking technical specification. The specification should not be adopted without appropriate consideration, but the onus should be on those who wish to make changes."
This recommendation will enable the Australian Open Banking effort to move quickly toward implementation. Working from an existing standard that was also built on foundational authentication and authorisation standards, the Australian industry will have confidence to build their services and applications. In my opinion, any divergence from the UK standard should be carefully considered and communicated with the UK's Open Banking. The last thing application developers want is significantly different Open Banking standards across jurisdictions.
Interactions between consumer applications and the banks and other financial services companies are performed using RESTful APIs standardised by Open Banking. Application flows don't force direct communication with the Open Banking service; in this way the architecture avoids a single "clearing house" which could be a single point of failure or a honeypot for attackers, as pointed out on page 50 of the review.
Consumers will also be reassured by an authentication experience they're familiar with. Being redirected to the bank's own login screen will be familiar to their logging in to third-party apps via social media services.
Security is a key concern due to the nature of the data being accessed. It's pleasing that the review calls out multi-factor authentication (MFA, Recommendation 5.5) as an important security measure, which is consistent with direct interactions between data holders and customers.
It's been my position for the last couple of years that MFA is no longer optional: all online services should be offering MFA, preferably using push notifications as the default communication mechanism to help prevent attacks on MFA via SMS.
The mandatory implementation of MFA along with standards-based authentication flows based on OpenID Connect, using redirection to the data holder's login page (Recommendation 5.4) will greatly assist in eliminating insecure practices. Namely, "screenscraping" will be preventable, which is where end users are asked to enter their credentials into the third-party application, enabling that application to access the data holder's service on behalf of the user. As specified on page x of the executive summary:
Open Banking should not prohibit or endorse 'screenscraping', but should aim to make this practice redundant by facilitating a more efficient data transfer mechanism.
In my opinion, this recommendation could have gone further. Screenscrapers should be banned from replaying end user credentials to banking services. The use of an Open Banking authentication API based on OpenID Connect should be mandatory.
The issue of informed consent is another important topic covered in the review. Consumers must at all times be aware to whom they are giving access to their data and how long that consent lasts, and they must be able to review and potentially remove their consent at a granular level at any time in the future. Recommendation 4.5 - customer control states:
A customer's consent under Open Banking must be explicit, fully informed and able to be permitted or constrained according to the customer's instructions.
I believe it's the responsibility of the industry as a whole to build informed consent management and communication into all consumer services in a way that gives the end user confidence about how their data is used and shared. There are consent models and commercial products available that allow this to be implemented. This Open Banking requirement may be the example that pushes other consumer services to adopt end user consent as a standard feature.
The Australian team at Ping Identity is looking forward to working with our customers in the financial services and fintech communities to provide the identity and security infrastructure to meet these challenges. Our experience with UK customers shows how our technology can be implemented quickly, integrating seamlessly into existing environments, to allow organisations to reap the benefits of Open Banking and provide their customers with the services they require in today's competitive financial services environment.
I am also looking forward to the recommendations of the review being used across other industries, enabling informed, secure data sharing for consumers and driving the adoption of new services and applications across all consumer digital services.
To learn more about Ping's experience with Open Banking and PSD2, visit www.pingidentity.com/PSD2.