11 minute read
The open question
The questıon
For years, UK consumers have been told to guard their financial information with their lives. Now, we’re telling them their every financial management wish will be granted if they embrace ‘open’ banking. No wonder they’re confused – and suspicious – as fraud attempts soar. But are the two even connected? A recent Open Banking Excellence (OBE) event explored the issues
So began Mambu’s 2021 report on open banking, which the composable banking firm might have expected to deliver more activity, at a higher pace than it has so far achieved.
What open banking promised was an unparalleled platform for collaboration and competition that would generate exciting new ways for consumers to manage their cash. But, in the wake of a pandemic, the midst of a cost-of-living crisis and the crosshairs of a fraud epidemic, consumers see a lot of broken eggs – and no compensatory omelette.
That’s partially a communication problem. Mambu’s report found that 61 per cent of respondents didn’t believe
But it’s fraud, which appears to have been escalating alongside the ongoing development of open banking, that has consumers questioning the wisdom behind the next generation of financial services.
Taken as a whole, fraud in the UK has increased 25 per cent on pre-pandemic levels, according to the Office for National Statistics (ONS). Cifas, the UK’s fraud prevention community, recently detailed how fraudsters are adapting their methods, with identity fraud rising 22 per cent between 2020 and 2021, and mule activity using personal accounts increasing by 24 per cent in the same period.
Of particular concern is the rise in authorised push payment (APP) fraud, where the victim is tricked into making a bank transfer to an account that’s posing
they had used open banking, despite 82 per cent of them reporting that they do use finance apps. Banks could certainly do more to draw attention to their open banking omelettes, even if their ingredients are, for now, a little sparse. Half of respondents to Mambu’s report said their bank hadn’t even explained what open banking was.
Then there are the eggshells. Nearly three in five of people surveyed by Mambu had concerns that open banking creates privacy and security issues, with 43 per cent believing that open banking is a dangerous use of data sharing. These attitudes might explain why some banks have been tight-lipped about their open banking projects to date, while others have been hesitant to get involved at all.
The genie is out:
And now the industry has to make some choices
as a legitimate payee. APP fraud losses overtook losses from card fraud for the first time in 2021, rising by a staggering 71 per cent, according to UK Finance.
In a study of the UK, US, and Indian markets, ACI Worldwide predicts that APP fraud losses will experience an average compound annual growth rate (CAGR) of 21 per cent from 2021 to 2026. Of those who fall victim to APP fraud, ACI Worldwide found that 72 per cent close the affected account.
Helen Child, founder of Open Banking Excellence (OBE), the industry-led facilitators of the open banking project, believes escalating fraud isn’t going to be beaten into retreat any time soon.
“As we head into a credit crisis or recession – whatever you want to call it – I think with a high degree of certainty we can all presume these figures will continue to rise,” she said at a recent OBE Campfire discussion on open banking and fraud, adding that, ‘by talking about it, we’ll keep the subject front of mind’.
All this is taking place against an increasingly rosy backdrop for open banking, even if progress has been slower than many had hoped. The government’s Open Banking Implementation Entity (OBIE) Open Banking Impact Report, published in June, said 10 to 11 per cent of digitally enabled consumers were active users of at least one open banking service, up from six to seven per cent in March 2021. And in the six months to March 2022, there were 21.1 million open banking payments, compared with 6.1 million in the same period in 2021. Month-on-month growth is running at around 10 per cent Earlier this year, the UK reached the milestone of one billion open banking API calls in a month, double the average monthly volume recorded in 2020 and leagues beyond the 66.8 million that took place in the whole of 2018, when UK open banking was first implemented.
Accelerating engagement with open banking is to be celebrated, though not if its correlation with rising fraud is thought by consumers to amount to direct causation. It was in recognition of
There’s lots of information that could be shared under open banking standards to tackle fraud. But the regulations haven’t mandated how
Helen Child, OBE
this threat that OBE hosted the campfire conversation, which aimed to determine whether open banking is creating new openings for fraudsters.
Comfortingly, Mike Haley, CEO of Cifas, was on hand to dispel any misconceptions. “I don’t think open banking has created any new fraud typologies,” he explained. But open banking’s security model and trust framework have forced fraudsters to target victims directly. “The weakest link is now the customer,” he added.
APP fraud is skyrocketing. Over the course of the pandemic, Ofcom reported that eight out of 10 people in the UK had been targeted with text or phone call scams. Such scammers pose as reputable organisations – banks, HMRC, or the NHS, for example – in order to persuade their targets to divulge personal information, to phish information from their phones, or to request a bank transfer. Often delivered en masse, these scams tend to request relatively small sums – little enough to fly under the radar of anti-fraud systems.
Nevertheless, the volume of data produced and shared between open banking participants is still a cause for some concern. Chris Michael, CEO and co-founder of open banking API interface experts Ozone, was heavily involved in the development of the OBIE’s security framework. While he is also confident in open banking’s security, he does accept there are fraud opportunities created by new pools of enriched financial data.
“Data is more valuable in the presence of other data,” he explains. “So as you start building this model out, looking at all sorts of data, it gets increasingly valuable, and therefore more risky and more attractive to fraudsters.”
Seeking out that data is the latest chapter in the cat-and-mouse story that fraudsters and financial institutions have been co-authoring for centuries.
“The bottom line is that if a fraudster wants to convince someone to pay them money or give them access to their account, it is very difficult to stop them –particularly if their target is vulnerable,” says Michael. “But open banking can reduce this human fallibility by effectively removing the opportunity for customers to be tricked, parsing much more data than just the sort code and account number, allowing identifying data to be shared via an API alongside every transaction. We expect to see a lot more innovation in this area.”
So, the good news is that open banking and its successor, open finance, will leverage multiple, connected data sources to spot and tackle fraud more effectively. Today’s technology can scan for IP location, dodgy devices, unusual browsing habits, the suspicious use of different names – everything that can reveal fraud. Sharing more of this data across the industry can only be a good thing.
“There’s lots of information that could be shared under open banking standards to tackle fraud,” says OBE’s Child.
“But the regulations haven’t mandated how this should be implemented.”
Such a framework should be a priority for the next raft of rules released to support the adoption of open banking. The bad news is that these data sources are not nearly as connected as they could be. Dithering on the part of incumbents could grant fraudsters the extra time they need to pinpoint new weaknesses in the coalition of financial and personal data.
“We’ve got some really good building blocks,” says Michael. “I think we should now add to them, looking at how regulated parties can be involved in the flow of data, how they can parameterise consent, and how they can provide better outcomes for customers.”
More implementation, then, will help open banking stay a step ahead of the scammers and a bargepole away from associations with rising fraud.
For Child, successful implementation means putting more brilliant new products in front of consumers as evidence of the value that open banking can bring.
“People will always say they don’t want to share data if you ask it in a survey,” she says. "When you put it in context, though, with an obvious value-add for them, they don’t think of it as sharing data, they think of it as using their data to make their lives better. That’s a totally different proposition.
“It’s wrong to think of the adoption for technologies like this as a linear process,” she adds. “It’s more like a flywheel, where connectivity enables new use-cases, driving adoption and normalising the technology across society. If we, in the UK, want to maintain our position as global leaders in this space, we need to broaden the scope to let new entrants in and get the flywheel spinning faster.” There’s a further benefit to accelerating the implementation of open banking: it incentivises anti-fraud innovation across the fintech space. Take GoCardless, the online payment processing firm, which released its Verified Mandates feature in March. The feature harnesses open banking technology to protect GoCardless business customers from fraudsters – preventing bad actors from creating online profiles in the first place.
The paytech’s research recently found that 87 per cent of consumers would be more likely to shop with or use a brand if they believe the company takes fraud seriously.
Meanwhile, anti-fraud measures rushed in by regulators appear to be working. In the early months of 2022, mandatory strong customer authentication (SCA) came into effect in the UK as a feature of the revised Payment Services Directive (PSD2). SCA requires shoppers to provide two-factor authentication (2FA) to complete online purchases. In September, Barclaycard reported that the measure had reduced online payment fraud experienced by retailers by 73 per cent, with the average merchant reporting a 25 per cent reduction since SCA was made mandatory.
Pause for thought:
SCA has succeeded in reducing fraud, without increasing cart abandonment Since mandatory SCA was introduced, basket abandonment – the e-commerce term for consumers leaving the checkout process without finishing the purchase – actually fell from 32.4 per cent to 28.9 per cent of all transactions. Perhaps consumers appreciate that some friction, especially at the point at which they’re set to part with their cash, might not be such a bad thing. Banks should take note of this finding, which flies in the face of ‘frictionless’ UX orthodoxy. In another regulatory intervention, the UK’s Payments Systems Regulator is expanding the number of payment service providers (PSPs) required to participate in the confirmation of payee (CoP) service to 400. CoP was first introduced to reduce cases of APP fraud and accidentally misdirected payments. Increasing the number of PSPs that must utilise the CoP service should clip the wings of APP fraudsters in the UK, or, at the very least, make vulnerable consumers pause for thought during a transaction process, hang up, and contact their bank. At the end of its report, Mambu lends its voice to the growing chorus of thought leaders advocating for open banking to make a PR pivot. Many in the industry believe ‘open’ gives the wrong impression, and that ‘smart’ or ‘collaborative’ would be both more accurate and more comforting for consumers. But, with open finance on its way, it may be too late for a rebrand. Mike Haley, from Cifas, has another suggestion. “When it comes to fraud
“The introduction of and financial crime,” SCA has definitely had a he says, “let’s leave positive effect in reducing competition at the door. fraud,” says Ozone’s Chris We've got a common Michael. “But many banks enemy, let's share still rely on one-time data and intelligence. passwords sent via SMS, Let's share that which is inherently information and use it insecure, and even the as a common defence.” most secure methods can be manipulated Open banking was always using social engineering techniques.” about smart collaboration between
SCA is a step in the right direction, but financial institutions – it’s just that, in Michael believes that open banking should data science circles, being ‘open’ is a transform that into a leap, once simpler, paramount virtue. If fraud is threatening instant verification processes, connected to derail the progress of open banking, via APIs, are readily available across more implementation, more collaboration, payments platforms. and more intelligence sharing through
Encouragingly, 2FA doesn’t appear to be organisations such as OBE, will help regarded as a nuisance by consumers. the movement get back on track.
When it comes to fraud and financial crime, we've got a common enemy. Let’s share data and intelligence... and use it as a common defence
