Open banking and digital identity
Mark Perry: Identity has become a cornerstone of open banking regimes
Consumer interest in understanding their relationship with their financial services provider has never been higher. Yet at present, there is a fundamental disconnect between what consumers can access in terms of the data that banks hold about them and what they can do with it.
Open banking is set to turn the relationship between providers and their customers on its head, and is set to have ramifications for other customer-service-based industries such as telecommunications and utilities.
“It’s currently difficult for consumers to compare fees, charges and interest between different financial institutions, and that makes it harder for them to switch service providers to get a better deal,” said Ping Identity Asia Pacific Chief Technology Officer Mark Perry.
The Farrell Review into Open Banking released its report in December of 2017. It recommended several major steps that Australia can take to open up consumer data held by financial institutions.
According to the report, “Open banking gives consumers a right to direct that the information they already share with their bank be safely shared with others they trust. It is designed to give customers more control over their information, leading to more choice in their banking and more convenience in managing their money, and resulting in more confidence in the use and value of an asset mostly undiscovered by customers – their data.”
The Current State of Play
At present consumers can share their data with third parties, such as FinTechs and other new players, but the way they do it is inherently insecure. In general, a consumer will provide a third party application with their log-in and password, and give the application the authority to screen scrape their data.
This is a bad model, because consumers who hand over their data are relying on that third party to keep their credentials secure. Third parties are open to hacking, and some may not store credentials using industry-standard security.
Some banks even go as far as notifying consumers who share their credentials that they won’t be indemnified against any fraudulent activity that occurs in their accounts.
According to Mr Perry, the IT industry, as mentioned in the Farrell Review, has come up with a better solution – one which is, ironically, used by Facebook and other social media platforms.
The two standards are called OpenID Connect and OAuth2, and it’s these two pieces of technology that are being recommended as security standards at the centre of open banking in Australia.
In general, a website can ask for your Facebook log-in as a method of verifying yourself. When this occurs, using OAuth2, the website is directed back to the core Facebook log-in, where the user verifies themselves.
The user’s credentials are never handed over to the website asking for the log-in. The same would apply to banking – a consumer would never need to hand over their credentials to a third party.
“It’s a protocol that’s now widely accepted in the industry,” said Mr Perry. “And this is the model that is being used for open banking in the UK. However, there are also other aspects that still need to be clarified, such as enabling consent, and for third parties to provide an understanding to consumers about what they are sharing, as well as the ability to remove consent to that data sharing.”
These aspects of Open Banking still need to be worked out in Australia. The Farrell Review recommends that there is a domestic certification process, as well as a central authority, or “address book”, that may also provide the digital certificates that enable the security underpinning the information sharing.
The Review has recommended that the ACCC has a strong role in providing this central certification authority, but it’s still early stages in the game. The upcoming Federal Budget is likely to provide for funding that allows the establishment of this central certification organisation, or allows the ACCC funding to establish its own service.
What about the Banks?
Australian banks initially wanted the central certification authority to be one overseen by an industry organisation.
The Farrell Review has resisted this through its recommendation that the ACCC fulfil this role. Since the report’s release, Australian banks have come on board with open banking and are generally more receptive to the concept.
According to Westpac’s Jade Clarke, Director, Data Development and Innovation, Westpac is in favour of an open banking regime which will support customer choice and competition, as well as complementing an economy-wide open data regime.
“We consider that open banking will accelerate innovation in the delivery of products and services within banking and other industries,” said Ms Clarke in a statement.
“Westpac is committed to an open data regime which ensures our customers’ privacy and security needs are the highest priority, and helps customers make informed decisions,” she continued.
“It is crucial that any open data regime is subject to strong monitoring and enforcement to ensure that the risk of fraud, identity theft and security breaches are minimised.”
Macquarie Bank has also launched an open banking program which will enable customers to connect to FinTechs and other third parties, as well as share their financial information.
“Our customers have been telling us they want to securely connect their information into their favourite accounting software, budgeting app and other innovative services they are interested in,” said Ben Perham, Head of Personal Banking in Macquarie’s Banking and Financial Service Group, in a statement.
“Macquarie’s open platform will make this possible.”
Mr Perham went on to say that the organisation is looking forward to working with third party providers to drive new and personalised experience’s for the Bank’s customers.
Open Banking is not the end
The core of open banking is to give consumers power over their personal data, but financial services are not the end point for the open data revolution.
If open banking performs as promised – and there is still a long way to go – consumers could look forward to other sectors of the economy opening up their data troves. This includes telcos and utilities, both areas where companies hold significant information about a consumer, but also areas where consumers have traditionally found it hard to compare fees, charges and services.
With the rise of open banking in Australia, consumers can expect to have far more choice about who they engage to provide key services, as well as a better opportunity to shift providers. It’s just beginning.
Ping Identity will host its Identify 2018 events in Sydney on May 8 and Melbourne on May 10. Identify 2018 is an event by the Ping Community for the Ping Community. You can reserve your seat here. Ping Identity is a valued InnovationAus.com partner.