As businesses look to benefit from drastically lower swipe fees and payment fraud, as well as delivering a better customer experience, open banking payments will become a more and more compelling payment method to offer to their customers.
However, one critical thing for merchants to keep in mind when selecting an open banking partner is the method that the partner uses to gather data. This is a critical — even fundamental — question because it touches on the single most important issue around open banking: security.
When done right, open banking is more secure than credit cards or other payment methods. But not all providers use the same methods to access bank data. In fact, a number of open banking providers utilize methods that are not secure.
It's important to know how data is being accessed and make sure that you're protecting yourself and your customers. In this post, we will talk through the key ways of collecting data, what their risks are, and why one method is far superior from both security and reliability perspectives.
1. Reverse-engineered APIs
The main way to gain access to account information is through an API, or ‘Application Programming Interface.’ This technology enables platforms to exchange data with one another and can be thought of as the building blocks of digital services such as open banking payments, as it enables the secure extraction of payment data.
In the US, there are several challenges around accessing bank data via APIs. First, there is an enormous number of banks. Second, many bank APIs follow different standards and are of varying quality and stability. And third, not all banks are proactive about opening up their data to third parties. For a startup to integrate with a critical mass of bank APIs directly would be an overwhelming and prohibitively expensive task.
To get around this, a number of open banking providers use a method called “reverse engineering.” This involves the open banking provider building an API to gain access to customer accounts, via analysis of information shared between the customer and the bank on the bank's user interface. The provider can do this by asking the customer to share login information — already a red flag, but this enables the provider to interact with the bank’s server in the same way as the bank’s app does. However, any changes to the bank API specs or the authentication certificate in the app will cause the connection to fail, or at least become erratic.
With reverse engineering, the customer needs to share their own private login details with the open banking provider, and the provider stores customer credentials on their own servers — creating an extra and unnecessary security risk. Merchants should very carefully consider the reputational and security risks of doing business with partners that store login credentials, and always ask that question when they are considering which provider to choose.
2. Screen scraping
Screen scraping, also known as direct access, is a second method to collect bank data that allows open banking providers to access end customers’ online bank accounts using their login credentials. The data extraction process works as follows:
The customer shares their login details with the open banking provider. Sometimes the login credentials are collected by the open banking provider masquerading as the bank login.
The provider uses these details to log in to the customer’s bank account.
The provider ‘scrapes’ data from the customer's account for use outside of the customer’s banking portal.
Like reverse engineering, in this situation the open banking provider stores the login credentials in their own database. Then the provider can impersonate the user and scrape data from the account’s webpages.
The risks here are quite obvious, and unnecessary. As well as the potential for a data breach, the provider can also theoretically access information that the customer has not necessarily consented to. In other parts of the world such as the EU, screen scraping is already partially banned, with more legislation likely to come into effect in the future to ban it outright.
Screen scraping v web scraping: You may occasionally see these terms used interchangeably. There are some minor differences but bear in mind that in terms of open banking, they are sometimes used to refer to the same thing.
3. Authorized bank APIs via Data Access Networks (DANs)
As mentioned above, reverse engineering is a risky way for open banking providers to access data because rather than collaborating with the bank in a transparent and direct manner, the open banking provider is exposing them to security and reputational risk.
But there is another way to obtain open banking data via API transparently and securely, by working with the bank rather than around it — and that is by partnering with Data Access Networks (DANs).
A DAN builds authorized, secure connections to banks in partnership with them, and fintech startups — such as Link Money — build services with these API connections.
This is a critical security and scalability advantage over reverse engineering and screen scraping for several reasons:
As mentioned, DANs partner with banks directly, rather than go around them. This means the banks are active partners in the relationship and invested in sharing data in a safe and controlled manner.
DANs concentrate on connecting bank APIs at scale. Rather than a single fintech trying to build API connections to thousands of banks as well as build and sell their own products, DANs are focused on building the API infrastructure. This means they have the resources to connect with all necessary financial institutions, solve the edge cases, and ensure those connections are stable, in a way that individual fintechs can not.
Maintaining connections. Once APIs are connected they need to be maintained, as any changes to specs or the authentication certificate are an inevitability. This technical debt is very expensive for individual fintechs, but for an organization focused on bank API connections, it is much more cost-effective.
Bank-grade security. Since they need to maintain the trust of the many banks they work with, DANs need to build with bank-grade levels of security, using frameworks such as the National Institute of Standards (NIST) Cybersecurity Framework, ISO 31000:2013 standards, and Committee of Sponsoring Organizations (COSO) Framework, and more.
Authorized APIs via DANs are clearly more secure. So why do some open banking providers utilize other data collection methods?
A number of high-profile open banking providers have built their businesses around both reverse engineering and screen scraping in spite of the risks. But with these points in mind, you may wonder why they persist with non-secure data collection techniques.
There are a number of possible answers to this question, but one of the most common is that DANs did not exist or did not have enough bank coverage when the open banking provider launched, and therefore it made more sense for them to utilize reverse engineering or screen scraping. And once a solution is built with either of the above methods, it takes a lot of back end engineering and relationship building with banks to make a more secure solution.
Driving up the trust factor is critical for open banking
As you can see, open banking providers that leverage authorized bank APIs for extracting data are operating with the safest, most secure approach. And working with such providers is not only advisable from a security perspective. It is also critical for the long-term viability of the open banking ecosystem.
This is because, for many decades, consumers have been told (for good reason!) not to share their bank data with anyone. We know that open banking is highly secure as long as best practices are followed. But any data breaches or other mishaps due to non-secure data collection practices have the potential to diminish trust in the open banking ecosystem as a whole. Therefore, it is absolutely critical that consumers see it as an option that is secure by default — and working with providers that collect data with the right approach is one key way to ensure this happens.
If you’d like to learn more about security at Link Financial Technologies, and what to consider before implementing open banking payments, use the form below to contact us.