You can also listen to the audio version of this article:
The second phase of open banking, the new Brazilian financial system that allows the sharing of data between institutions with the consent of customers, has begun on August 13th. It is a system that provides standardized sharing of data and services through APIs by financial institutions that are authorized to operate by Banco Central. The role of security in open banking is fundamental and has raised many questions on the part of consumers.
But how secure is open banking?
According to Febraban – The Brazilian Federation of Banks – which is the main entity representing the Brazilian banking industry – all open banking operations take place in an environment with multiple layers of security, following internationally consolidated standards.
Also, according to the institution, the Open Banking Convention has a working group focused on security, responsible for evaluating and suggesting the best practices for protecting the system.
Security mechanisms already available and known by the consumers in the Brazilian financial system – such as facial biometrics, digital biometrics, tokens, and, of course – security passwords – will also be adopted.
According to the official website created to share information about open banking (only available in Portuguese), the institutions must meet a series of requirements to ensure the authenticity, security, and confidentiality of shared data.
For this purpose, strict and specific rules are foreseen for the accountability of financial institutions. There are also laws in Brazil, such as the LGPD (General Data Protection Law), which guarantees some level of responsibility to institutions in the event of any leakage of information.
There is also the fact that the institutions themselves also adopt measures to ensure a safe experience for their customers – after all, as we always say at Conviso, security impacts not only the financial side of a company but also its reputation.
How does open banking security work?
According to Banco Central, to ensure that the sharing of consumer data is secure, 3 mandatory steps will be implemented:
- The client’s consent will be requested;
- The confirmation of consent is then carried out.
Only after all these 3 steps will the bank or institution will be able to share the chosen data – and, it is worth mentioning, only for the time it has been authorized to do so. And this is a fundamental step in open banking security.
Another point is that these steps will be done exclusively on electronic or digital channels. Therefore, no authorization will be requested by telephone or ATM, for example. And, according to the rules informed by Banco Central, they must happen in a successive way and without interruptions.
Customer communication is also an important step in open banking security. Throughout the entire process, the financial institution will need to clearly and objectively inform the client about the entire step-by-step procedure.
Likewise, each time the client needs to be directed to other environments or systems – even from other institutions, all information regarding this process must be clear.
The supervision of open banking is the responsibility of Banco Central. They are the ones who will make sure that financial institutions adhere to information security and data protection protocols.
If failures occur, such as, for example, if the sharing of data exceeds the authorized period, the institution that continues to make use of them may be punished, through fines or even suspension of the authorization to be part of open banking
The challenges of security in open banking
According to Wagner Elias, CEO of Conviso, the fundamental issue when it comes to security in Open Banking is APIs. APIs – Application Programming Interface – are sets of protocols that enable one system to connect to another to consume data in a standardized way.
It will be through them that the sharing of data from the open banking system will take place. They will be the ones that will allow the exchange of data between the parties. The API has to be well defined, clear, and with the endpoints very well defined, according to the CEO.
Another important issue is that the architecture makes up the solution on both sides. All application construction needs to be well thought out and resilient so as not to expose data and compromise the ecosystem.
Open Banking Fraud – Are They Possible?
“It’s almost impossible for a system to have no vulnerabilities at all – that’s why security needs to be ongoing,” explained the CEO, in a recent interview for Celcoin News (the content is in Portuguese). However, in the case of this type of fraud that is expected to be seen in open banking – he explains, in the interview – it has little to do with system vulnerabilities.
“The fraudster exploits a characteristic of the human being that makes it possible for them to carry out fraud. In most cases, it is not related to the technology itself – but to the bad intentions of those who apply the attack, and to the innocence and lack of knowledge of those who deliver some critical information to the criminal”.
These are social engineering frauds – when malicious people manipulate victims to obtain data. Therefore, the consumer must also pay attention to the platforms they access.
Tips for consumers
To prevent this type of fraud, Febraban has shared a few useful tips. These tips, by the way, are essential in preventing scams and fraud in general:
- Always check that the address of the website you are accessing is correct;
- Be wary of very attractive promotions before authorizing the sharing of your data;
- Check the reputation of the company with which you will authorize the receipt of your data;
- Keep your computer or cell phone’s operating system and antivirus updated;
- Do not pass on application security codes or bank passwords to another person;
- When in doubt, contact your bank through the official channels you are used to.