Insight & Analysis

Open banking risk: challenges around verifying identity of TPPs abound

Published: Sep 2022

As open banking gathers pace, warnings around the risk of safely verifying the identity of TPPs grow.

Person using finger print recognition for identification

European financial institutions operating in the open banking ecosystem are at risk of increased levels of open banking fraud. Open banking in Europe has grown to account for billions of transactions every month with an estimated 63.8 million users by 2024, according to research from Statistica. However, significant issues and dangers exist around proving the identity of Third-Party Providers (TPPs) that deliver open banking services, and the current regulatory permissions.

“Banks face genuinely frightening possibilities if they fail to check the identity and regulatory status of TPPs adequately,” warns Brendan Jones, CCO, Konsentus, a SaaS company that supports safe data exchange. “Banks are liable for both unauthorised access to data and fraudulent transactions which could result in reputational damage and significant financial losses.”

PSD2, the EU’s industry-wide regulation introduced in 2018 to make online transactions safer and more secure, enables open banking by requiring financial institutions to share their customers’ accounts with authorised third parties and fintechs. When data is shared, banks must ensure they are giving information to the correct entities and are liable for any data given to unauthorised third parties.

However, the regulatory permissions which allow TPPs to deliver open banking services across the EEA can change at any time. If banks continue to share data with TPPs which do not have the correct regulatory status, they could face regulatory fines and be in breach of GDPR, explains Jones.

EBA warning

The latest warnings follow on from the European Banking Authority publishing its response to the European Commission’s Call for Advice on the review of PSD2. The report identified significant issues and dangers around proving the identity and current regulatory permissions of TPPs that deliver open banking services.

Among the EBA’s 200 proposals are nine calls for legislative change which will reduce risk and enhance consumer protection by determining the identity and current regulatory permissions of TPPs in real-time. However, it may be several years until any recommendations come into effect, meaning that financial institutions will be exposed to the risks identified by the EBA for some time.

“We welcome the EBA’s recommendations, but also warn banks that they must act immediately to mitigate the risks. Legislation will take some time to come into force, so financial institutions must resolve the risk around identity and regulation themselves.”

Fraud

Using data based on millions of transactions processed every month on behalf of 500 financial institutions across EEA, Jones observes a spike in the number of TPPs failing certificate checks, the verification process carried out by a financial institution to verify a TPP’s identity in real-time.

“On average per month, more than 1% of transaction requests fail certificate checks in some way,” he says. Detailing the types of fraud, he notes examples of unauthorised organisations attempting to access financial institutions’ APIs; examples, on a monthly basis, of regulated TPPs attempting to access financial institutions’ APIs in jurisdictions where the TPPs are not regulated to operate, and examples of TPPs attempting to provide services for which they are not authorised to carry out, either in their home member state or host member state.

Under PSD2 regulation regulatory authorities like the EBA and a select number of National Competent Authorities believed that simply checking a TPP’s digital identity credentials was sufficient, continues Jones: now financial institutions should go further still.

Checks should involve validating the TPP’s digital identity credentials in real-time and checking the current authorisation details of the TPP. Elsewhere banks should check the current passporting rights of the TPP if it is attempting to access financial institutions’ APIs in host member state jurisdictions. Banks should also check the TPP’s current authorisation status to ensure that the TPP can provide the services in the host member state.

Jones concludes with a warning of the dangers of not acting. “The damage caused by high-profile regulatory action could dent confidence in the wider open banking ecosystem, potentially hurting all players and slowing down the pace of adoption across Europe.”

All our content is free,
just register below

Already have an account? Sign in

Please only use letters.
Please only use letters.
Please only use letters.
Please complete this field.
Please select an answer.