Security

Open Banking and the Closed Ecosystem: The Tech Banks Need to Navigate GDPR

Privacy rules are a hurdle to banks' API-driven approach to digital innovation. Here's how they can clear it.

Doug Bonderud is an award-winning writer capable of bridging the gap between complex and conversational across technology, innovation and the human condition.

To meet the growing demands of tech-savvy and mobile-native consumers, financial institutions have adopted a new approach to service delivery: open banking driven by application program interfaces, or APIs. As noted by The Financial Brand, open banking initiatives now rank among the top three tech priorities for banks this year.

The challenge? Existing privacy regulations such as the General Data Protection Regulation (GDPR) and the emerging second iteration of the Payment Services Directive (PSD2) — both European regulations that affect global commerce — strive to create closed security loops around client data storage, usage and privacy. According to CSO, 64 percent of fintech firms’ main websites still fail GDPR compliance tests more than a year after this legislation came into force.

What does this mean for the API revolution? What technologies do banks need to support secure ecosystems without slamming the door on open initiatives?

How APIs Make Open Banking Possible

APIs are the cornerstone of open banking initiatives. As Christina McGeorge, a vice president at NCR-owned D3 Banking Technology, describes it, APIs are “a set of programming instructions that allow one software application to ask another to form a task or a series of tasks,” according to Payments Journal.

In other words, they make it possible for different software systems to communicate directly in real time.

And while the first generation of fintech firms leveraged proprietary API solutions, banks quickly recognized the advantage of open-source options. The move to open banking initiatives both reduced development time and enhanced functionality.

The biggest challenge to open banking? The need for closed security ecosystems as both local compliance regulations and international legislation evolve. GDPR offers the most pertinent example. As a recent McKinsey & Company article points out, while explicit consent is required from account holders to share data, “there exists a silent counterparty to every financial transaction conducted by that holder; does a right to privacy exist for the corresponding payor/payee? If so, the consent process becomes infinitely more complex.”

How Banks Can Comply With GDPR While Pursuing Open Banking

Put simply, open APIs create natural security gaps because banks don’t control their development or underlying code base, and even unintentional GDPR violations carry massive potential fines of up to 4 percent of total global revenues. Yet banks, credit unions and other financial services firms can’t afford to ignore the impact of open banking.

Bridging the GDPR gap demands adherence to a compliance framework. The law requires evidence of technical or organizational measures demonstrating compliance with at least 39 articles, according to Nymity research. The International Association of Privacy Professionals has developed a 55-point framework to help organizations implement new operational controls that both demonstrate and document GDPR compliance.

Organizations should also consider deploying a subject access request portal. Under the law, individuals are entitled to request what personal information is held about them; organizations must respond within 30 days. Subject access request portals help GDPR compliance efforts by offering a single interface to receive, track and respond to requests for information, as well as facilitating the exercise of a consumer’s rights over personal information. These portals track the full lifecycle of consumer requests and assist the organization with responding within legally mandated timeframes.

Finally, organizations also need purpose-built technologies capable of identifying, detecting and mitigating potential security issues. These include electronic discovery tools and advanced threat detection.

Long used in legal practices, e-discovery tools are now essential for financial service organizations. These tools locate, categorize and secure consumer banking data as it moves across open API frameworks. Meanwhile, banks and credit unions can’t protect consumer data if they can’t detect potential intrusions or API compromise. Intelligent and evolving threat detection and monitoring tools are critical for long-term security.

Open banking is here to stay — but so is GDPR. What’s more, new privacy legislation is on the horizon that will both empower consumer data portability and demand greater security oversight from financial institutions.

The result? Banks must open critical operations even as they close ranks around consumer data. Achieving this goal isn’t a simple process — organizations must adopt both new technologies and operational frameworks to deliver ongoing data security.

Getty Images