It’s all over the global media. Technology journalists, as well as finance reporters, have been focusing on Open Banking for some time now. With initiatives in the UK, Europe, Australia, New Zealand, Singapore, Hong Kong and other countries, banks, fintechs and governments are scrambling to open access to consumer data in a standard and secure manner, based on informed customer consent.
And this is only the start. In Australia, work has already begun on an Open Energy programme, which seeks to replicate the work in the finance sector across consumer energy providers. Clearly, the frameworks and standards piloted by Open Banking are leading to an Open API regime where customers can be more informed of fees and charges, and new service providers can ply their wares in a regulated environment.
Modernising Customer Identity Systems
In talking to major banks across the Asia Pacific region, I’m struck by a consistent theme. While they have different infrastructure and integration points, the banks are all similar in one way: Their technology leadership teams see Open Banking as a way to modernise their customer identity systems. These programmes will deliver more agile and standards-based platforms that will ultimately be reused across all consumer and commercial banking services. Some banks are even considering reuse of the new platforms for employee and partner identity.
Several of your existing technology capabilities may or may not require modernisation in preparation for Open Banking; the key is to get the overall architecture fitted together in a way that makes sense for your enterprise and meets the Consumer Data Right standards. This may include authorisation servers that federate authentication sessions and issue tokens to third parties accessing APIs, resource servers that validate tokens and access privileges before allowing API access, user directories and data stores that store consent records, access policy management for applications/data, API gateways and multi-factor authentication. All of these existing capabilities need to be evaluated for their conformance with the emerging identity and security standards and requirements for Open Banking.
Beyond enhancing what’s already in place, many organisations realise that preparing for the impending flood of completely new and uncharted API traffic means adding security layers that use AI and machine learning models to detect anomalous API behavior without relying on specific defined policies or prior knowledge of attack patterns.
The identity and security requirements for Open Banking are not trivial. While all countries’ Open Banking frameworks are based on existing standards like OAuth 2.0 and OpenID Connect (which some banks don’t currently support due to their legacy identity and access management (IAM) stacks), Open Banking mandates newer standards, like Client-Initiated Backchannel Authentication (CIBA). And within the well-supported OpenID Connect standard, Open Banking in Australia requires the use of Pairwise Pseudonymous Identifiers (PPIDs) to enable consumer privacy, which is currently not supported by all vendors or OpenID Connect libraries.
As Open Banking focuses on putting end users in control of their data, third-party apps need to be authorised to act on their behalf and/or retrieve account data. Identity infrastructure needs to provide tools to manage consent and request additional security factors at the user level. Data governance needs to have access to this consent information to apply fine-grained authorisation on API calls, something which may be difficult to code into existing APIs or gateways.
Open Banking Standards
For global banking brands, another layer of complexity is the differences between regional Open Banking standards. Australia, UK and Europe share many requirements, but there are significant differences to be implemented and maintained: PPIDs are required in Australia, but not the UK or Europe. And, unlike those three countries, New Zealand doesn’t mandate the use of OpenID Connect at all; it uses OAuth 2.0. The New Zealand Open Banking effort is completely focused on financial transactions at this time, rather than read access to account data. Australia is focused on read-only access for now, while the UK and Europe support both read and read-write access in their standards.
Ping Identity has helped author and edit the open standards powering modern identity systems, and is closely aligned with industry-specific API standards that are taking root in the financial industry. Ping Identity experts helped define the Open Banking standard for the UK. My counterpart in Europe is on the NextGen PSD2 committee within The Berlin Group, and here in Australia I represent Ping Identity as the only vendor on the Advisory Committee helping to define our regional Open Banking standard as part of the Consumer Data Right. These variables, our commitment to standards, plus our long history of serving the largest financial institutions in the world, make Ping Identity’s solution a relatively easy and robust path for banks to meet many of their Open Banking responsibilities, as well as the platform for their future digital business transformation initiatives.
The Open API Infrastructure
What we’re seeing at the moment is the global design and piloting of the Open API infrastructure for all consumer-facing verticals. These patterns and implementations will be reused across organisations worldwide as governments increase the reach of their open data initiatives. The effort being put into designing the standards, implementing them in IAM solutions like Ping’s, and deploying them in the banks and application providers falling under these regimes, is massive.
Ultimately, all of us as consumers will benefit, as will the organisations tasked with providing Open APIs, as their infrastructures are refreshed to meet modern identity security and privacy standards.
To learn more about how today’s finance sector companies are tackling their digital transformation challenges, please visit Ping’s Financial Services page.