Photo: Tareq Shaheen

Open banking must step up its fraud prevention

05 January 2024
Knowledge Base

by Tareq Shaheen

Through open banking, the European Union continues to embrace its interconnected financial ecosystem; connecting, collaborating and sharing customer data instantly.
Yet, the risk of fraud looms larger than ever. Today’s criminals are relentless architects of deception, exploiting every crack in our financial systems at the touch of a button. They threaten to undermine the foundations of the EU’s open banking market, putting its expected 63.8 million users by 2024 at risk [*1]. Open banking simply extends the financial services ecosystem, expanding the attack surface and creating more entry points for fraudsters[*2]. Yes, it offers customers additional payment sources, but it simultaneously offers new opportunities for fraud. From phishing emails to ‘formjacking’ on websites that steal a user’s banking data, consumers lose on average €4,191 for fraudulent credit transfers[*3]. 

Now more than ever, there is a need for a proactive, data-driven approach to fraud prevention. And the European Commission’s announcement of Payment Services Directive 3 (PSD3) is aimed to do exactly that. WhilePSD3 is not expected to be enforced until 2026[*4], there’s an acute need for fraud prevention now. Both banks and customers can’t afford to wait. So, how can financial institutions reduce the risk of financial fraud, today?

The rise of fraud

Open banking presents challenges in safeguarding customer data accessed by Third-Party Providers (TPPs). Currently, banks bear the risk when authenticating transactions. However, this dynamic might shift within open banking to TPPs initiating more payments and potentially taking over customer authentication[*5]. This creates multiple vulnerabilities via Application Programming Interface (API) connections, as fraudsters exploit these gaps, employing tactics that blur the lines and make it difficult to spot the difference between authorised and unauthorised transactions.
Worse yet, fraudsters often set up a front business and pose as a fintech provider for the purpose of stealing financial data from their “clients”[*6]. Consumers tend to lack experience with TPPs and the rise of fintech apps can expose consumers to the risk of “spoofing”, among other threats[*7].

PSD3 aims to close those gaps. It’s designed to modernise payments, and the wider financial sector, enhancing their digital capabilities and efficiency. It will introduce minimum standards for open banking APIs and employ crucial changes to help mitigate the various tactics used by cybercriminals, such as forced verification, phishing attacks and impersonation fraud[*8]. But much like implementing any legislation, it takes time.

Time that financial services providers – and consumers – don’t have. As technology continues to evolve and expand the attack surface, so does the risk of fraud. Given the surge of API calls now exceeding over one billion per month in just Germany, France and Italy alone[*9], there are a lot of opportunities for fraudsters to act. Time is of the essence.
Yet, current fraud prevention systems are under significant strain and struggling to keep up; the adoption of open banking services is only expected to double across European countries by 2027[*10], putting further strain on current fraud prevention systems. Despite its popularity, open banking service providers are still new players in the industry. They don’t always have the infrastructure that traditional banks do with fraud prevention, leaving them more prone to risks associated with data breaches and cyberattacks[*11].

From a lack of investment in the API infrastructure that open banking needs, to the underlying payment infrastructure issues in various EU countries, more must be done to protect open banking users immediately. Banks are responsible for ensuring not only the financial safety but also the data privacy of their customers and can face regulatory fines if they share data with unauthorised third parties. What they need is better infrastructure and better fraud prevention and compliance mechanisms to mitigate these risks today.

Staying ahead of the threat

It’s no longer about staying in line with regulations – it’s time to get ahead. This means harnessing the right technology to combat fraud. It’s a race where banks can’t afford to fall behind.
Banks must make strategic investments in cutting-edge technology, particularly fraud prevention software. By using AI, algorithms and data analytics, banks can identify suspicious patterns and anomalies before they escalate into full-blown fraud. With better prevention systems and safer ways to store customers’ financial data, there will be less friction with transactions in the open banking user journey too[*13]. Software, such as Eastnets’ AI-driven fraud prevention solution PaymentGuard, not only protects customers but also safeguards the banks’ bottom line by preventing financial losses. However, the stakes go beyond just financial losses.

Compliance with regulations is equally crucial. By deploying robust fraud detection systems today, banks will be able to get ahead of the likes of PSD3 and Payment Services Regulation (PSR); particularly as the semantics of PSD3 is leaving the details up to the European Banking Authority (EBA)[*14]. From there, EBA will be updating the Regulatory Technical Standards (RTS) to improve the market. But again, this will take time. So providers must get ahead of the threat today.

Empowering consumers

Nevertheless, technology has become a double-edged sword. While banks adopt digital advancements to improve customer experiences, fraudsters are quick to exploit the same innovations. Artificial intelligence is a prime example, as it’s increasingly used in scams to deceive individuals by faking language, audio and even video[*15].

The customer now represents the potential weak link in the chain, particularly when initiating payments. Legislation won’t mitigate the risks associated with inattention, so consumers must exercise caution and take ownership, especially when making larger payments[*16]. Therefore, more also needs to be done by firms and regulators to raise consumer awareness in the open banking ecosystem. It’s a critical step for consumers to avoid falling victim to cleverly orchestrated fraud before it even happens.

The call for collaboration

The changes being introduced by PSD3 demand that banks and financial institutions need to act. But why wait and suffer in the meantime?
To preserve their reputation within the open banking sector and effectively combat the looming threat of fraud, banks must invest in state-of-the-art fraud prevention technology today, and adapt their APIs and authentication processes to align with the new requirements.

However, this isn’t just a matter of having the technology in place; it’s a chance for collaboration. Policymakers and regulators need to work together to establish consistent, high-quality standards and infrastructure[*17]. Whether it’s the technology being used for deception or the consumers’ inattention, there’s now a need for a collective effort to better safeguard the interests of all stakeholders in the open banking landscape. And they cannot afford to wait.

The author Tareq Shaheen, is Director of Payment Solutions at Eastnets and he is an expert in payment legislation proposals.

[*1] Statista, Number of open banking users worldwide

[*2] Open Banking Excellence, Security & Fraud: Is Open Banking creating new challenges?

[*3] The European Consumer Organisation, A payment fraud epidemic: what’s the remedy for consumers?

[*4] De Brauw, PSD3 & PSR: Get Ready For Regulatory Changes In The Payment Services Landscape

[*5] Open Banking Excellence, Security & Fraud: Is Open Banking creating new challenges?

[*6] Chargeback Gurus, The Threat of Open Banking Fraud

[*7] DLA Piper, PSD3 and PSR: sharing data on fraudulent payment transactions

[*8] European Commission, Payment services

[*9] Truelayer, Charting the rise of open banking payments: are consumers using them?

[*10] Forrester, European Open Banking Forecast, 2022 To 2027

[*11] Finance Magnates, Open Banking and Digital Identity: Implications and Opportunities

[*12] FT Adviser, Europe must lead the way in open banking

[*13] Yapily, Consumer confidence and experience are set to power the future of open banking says PSD3 directive

[*14] Yapily, Consumer confidence and experience are set to power the future of open banking says PSD3 directive

[*15] The Guardian, Financial firms must boost protections against AI scams, UK regulator to warn

[*16] Fintech Financial News, Fraud and Security: Is Open Banking Creating New Challenges?

[*17] Electronic Payments International, PSD3 – What does it mean and how will it advance open banking?

Leave a Reply

Your email address will not be published. Required fields are marked *