An Open Banking Framework

The Australian Business Review March 9th, 2018    Australia is a step closer to adopting an Open Banking framework that will revolutionise the way financial products and services are delivered to customers.

Open Banking will require the nation’s largest financial institutions to make customer data readily available to other companies, thereby allowing them to create a range of new offerings. It will encourage new entrants into the market, stimulating competition and reducing costs. The changes will also chart a course for secure digital interaction between service providers and application developers well beyond its initial scope of financial services.

During February, the final report of the Australian Open Banking Review was released. This report contains recommendations on the regulatory framework under which an Open Banking regimen could operate, and the necessary legislation that will be required to support it.

Looking to the UK

Those involved in Australia’s journey to an Open Banking environment have been watching the progress being made in the United Kingdom. There, Open Banking legislation came into force in January and financial institutions are hard at work to make it a reality. Some major banks have published Open Banking-compliant APIs and fintech firms have begun integrating applications to enable secure interaction between companies.

Ping Identity technology was selected by the UK’s Open Banking consortium to play a key role in this new architecture. It underpins the Open Banking service that manages the registration process and life cycle for Account Servicing Payment Service Providers (ASPSPs), Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).

Ping consultants also worked closely with teams developing the Open Banking APIs and security standards, using their deep knowledge of the OAuth 2.0 and OpenID Connect 1.0 specification.

Standards for Australia

The recent Open Banking report specifically mentions the UK’s work on the EU’s Second Payment Service Directive (PSD2) and recommends the country’s Open Banking standards as a starting point for Australia.

Specifically, the report says: “The starting point for the standards for the data transfer mechanism should be the UK’s Open Banking technical specification. The specification should not be adopted without appropriate consideration, but the onus should be on those who wish to make changes.”

This recommendation will enable Australia’s Open Banking effort to move quickly toward implementation. Working from an existing standard that was also built on foundational authentication and authorisation standards, the Australian industry will have confidence to build their services and applications.

Interactions between consumer applications, banks, and other financial services companies are performed using RESTful APIs standardised by Open Banking. Application flows don’t force direct communication with the Open Banking service and thus avoids a single “clearing house” that could become a single point of failure or a honey pot for attackers.

Open standards and API security

Effective security is key for a successful Open Banking system and the Australian review calls for multi-factor authentication. This is an important security measure, which is consistent with direct interactions between data holders and customers.

The mandatory implementation of MFA, along with standards-based authentication flows based on OpenID Connect, using redirection to the data holder’s login page will greatly assist in eliminating insecure practices.

It will prevent practices such as ‘screen scraping’ where end users are asked to enter their credentials into the third-party application, enabling that application to access the data holder’s service on behalf of the user. Open Banking should not prohibit or endorse screen scraping, but rather aim to make it redundant by facilitating a more efficient data transfer mechanism.

The importance of end-user consent

The issue of informed consent is another important topic covered in the review. Consumers must at all times be aware to whom they are giving access to their data and how long that consent will last. They must also be able to review and potentially remove their consent at any time.

It is the responsibility of the industry as a whole to build informed consent management and communication into all consumer services in a way that gives the end user confidence about how their data is used and shared. There are consent models and commercial products available that allow this to be implemented.

Industry-agnostic data sharing

Australia’s financial services sector will need to work hard to provide the identity and security infrastructure to meet these challenges. Ping’s experience with UK customers shows how the company’s technology can be implemented quickly, integrating seamlessly into existing environments, to allow organisations to reap the benefits of Open Banking and provide their customers with the services they require in today’s competitive financial services environment.

In the future, the recommendations of the review will also increasingly be used in other sectors. This will support better and more secure data sharing and thus drive the development of an exciting array of new digital services for customers.

Mark Perry is Chief Technology Officer — Asia Pacific, for Ping Identity

Share this article:<br>Share on LinkedIn
Tweet about this on Twitter