As we surf the web, linking our banking information to financial applications empowers us to shop effortlessly, send money swiftly, and take charge of our finances in new ways. With financial technology advancements, connecting third-party services and allowing them to access our financial data securely has become even more accessible. However, this convenience has also brought new risks and challenges when keeping these links secure.

In this article, we will explore the benefits and risks of open banking and proactive measures that fintech companies can implement to enhance security against fraudulent account linking.

What is open banking?

Open banking is the secure sharing of customers' financial data between banks, financial institutions, and third-party providers through secure Application Programming Interfaces (APIs). This data sharing allows third-party financial service providers to access customer bank accounts and payment information. Open banking aims to increase competition and spur innovation in financial services.

Open banking vs. traditional banking

For example, suppose you want to analyze your finances across all your accounts. If you have multiple bank accounts, credit cards, and investment accounts, you must go to each service individually and manually request your latest activity.

With open banking, you can instead use a budgeting app that can connect programmatically to all your financial accounts. The app uses an API to access your transaction history and balances securely and can provide a real-time comprehensive view of your finances all in one place.

Traditional banking means spending hours combing through your financial statements, compiling them into something useful, and repeating the process whenever you want to update the data. By linking your accounts to the budgeting app using open banking, a world of new financial access and benefits is available to consumers.

Benefits of open banking

Increased transparency and convenience

One powerful benefit of open banking is that it gives consumers more options and convenience. Instead of manually downloading transactions and inputting them into budgeting apps, consumers can now automatically and securely share their data with trusted third-party apps. This access makes financial management much more straightforward. Open banking also enables the creation of innovative apps that aggregate information from multiple bank accounts and provide personalized insights and money management tools.

Facilitating comparison shopping

Another key advantage is that open banking facilitates comparison shopping. Third-party apps can show consumers loan, mortgage, or insurance options across multiple providers to help find the best rates and terms. Traditionally, consumers would have to inquire with providers individually, but open banking simplifies this process. This increased transparency and competition incentivizes traditional banks and financial institutions to offer better value.

In these ways, open banking puts more control in the hands of consumers regarding their financial lives. They have more visibility into options and can make optimal data-driven decisions about managing money. With consumer permission, open banking can conveniently bring together multiple aspects of one's financial life.

Examples of open banking

As open banking becomes more widely adopted, innovative applications and tools are emerging to help individuals better manage their finances and empower their economic choices. There are already compelling examples of services leveraging open banking to provide advantages to consumers across budgeting, transferring money, shopping, and accessing financial products. Here are some leading examples of what's possible with open banking:

Budgeting and Financial Management Apps

Budgeting and personal finance apps like Mint and YNAB (You Need A Budget) use open banking to pull in your transaction information from linked bank accounts automatically. This linking allows them to create an aggregated view of all your balances, income, and spending and provides customized analysis and insights about your financial situation. Open banking enables users of these apps to plan future cash flow, find ways to save and pay down debt, and achieve their financial goals.

Peer-to-Peer Payment Services

Venmo and CashApp are some of the services that leverage open banking to offer easy peer-to-peer money transfers. Instead of withdrawing cash, writing a check, or going through a long wire transfer process, you can instantly send money to anyone digitally. Open banking enables direct account linkages that provide speed, convenience, and low costs for these transfer services compared to traditional methods.

Financial Marketplace Platforms

Companies like NerdWallet and LendingTree are examples of open banking in the financial marketplace ecosystem. They allow you to compare mortgages, loan rates, credit cards, insurance plans, and more. Once you input your information and link your financial accounts, these services scan products across hundreds of providers to find you customized quotes and options. This approach simplifies a traditionally tedious multi-application process, allowing users to quickly identify the best-fitting solutions for their financial needs at the best rates.

Small Business Financial Management

Small business owners can leverage open banking with tools like QuickBooks and Xero. These platforms provide integrated dashboards and real-time visibility into the company's finances by linking business accounts with other financial data such as invoices, tax information, and payroll. Business owners save time on administrative tasks and have data-driven insights to manage cash flow, pay employees, track expenses, and plan for growth.

Regulations in open banking

Regulations enable open banking by allowing third-party financial services to access consumer banking data through open APIs. These regulations promote competition, innovation, and transparency while protecting consumer data and privacy. Adhering to these rules and regulations ensures that the user's data is safe and secure. Some landmark policies include:

• Second Payment Services Directive (PSD2) in Europe: This payment regulation was launched in 2015 and requires banks to provide open APIs so licensed third parties can initiate payments or aggregate financial information for EU citizens. It also comes with API specifications such as NextGenPSD2 to aid financial services in implementing open banking APIs.
• Competition and Markets Authority (CMA) Order in the UK: Issued in 2016, the CMA order requires the nine largest banks in the UK to allow regulated providers and licensed startups access to product and customer data to promote competition.
• Consumer Data Right in Australia: In 2019, Australia passed a regulation allowing consumers to share their banking data directly with accredited services. The policy aims to empower consumer choice, and while it started in banking, it has now expanded to the energy sector and will expand further.
• Personal Financial Data Rights in the US: In 2023, the Consumer Financial Protection Bureau (CFPB) proposed a ruling targeting US financial institutions providing transaction accounts like checking accounts, prepaid cards, and credit cards. This new rule, to be finalized in 2024, would allow customers free access to their financial data from these services and for data to be transferred to a different provider if desired.

Critical open banking standards

For open banking to work smoothly, technical standards must enable secure data sharing and communication between financial institutions and third-party apps. These protocols allow consumer-controlled open banking ecosystems where third-party financial apps can securely provide rich services. Some of the leading protocols used in open banking include:

• OAuth 2.0: OAuth 2.0 is an authorization process for third-party services to access specific banking data at user-defined levels and durations. It standardizes approval dialogues for context and visibility into data sharing so users know what they are authorizing the app to do on their behalf. With this protocol, users retain control, and apps only access permitted accounts and transaction details.
• OpenID Connect (OIDC): OIDC builds upon OAuth 2.0 and provides identity services that let individuals use existing online accounts to securely log in and authenticate to apps rather than create separate credentials. In banking, instead of managing more passwords, OIDC lets you log in with your bank username and password, and then you can safely permit approved apps.
• Financial-grade API (FAPI): The FAPI specification is a specialized API security standard defined by the OpenID Foundation that defines security, availability, and performance standards for financial APIs. It covers technical recommendations for encryption, access control, penetration testing, and uptime to protect sensitive banking data. Adhering to these specifications ensures third-party services accessing open banking APIs have enterprise-grade reliability and security.
• Open Financial Exchange (OFX): The protocol OFX, used to exchange financial information, has been around longer than FAPI. The specifications define the request and response message formats used by each financial service and the common framework and infrastructure to support the communication of those messages. It supports various financial activities, including online banking, bill payment, and more.
• Open Banking Standard: Initiated in the UK and developed by the Open Banking Work Group, this standard strongly influences open banking practices, particularly in Europe. It focuses on secure data sharing using APIs, and banks must open their data in a standardized format to authorize third-party services. The standards provide robust security protocols to protect user data and privacy.
• Berlin Group's NextGenPSD2: A framework developed by the Berlin Group, focusing on standardizing API and security requirements in line with PSD2 regulations in Europe. Their goal is to facilitate compliance with PSD2 and offer a standardized set of APIs for accessing bank accounts, initiating payments, and accessing transaction data, ensuring different banking systems across Europe can work together seamlessly.

How fraud works in open banking: fraudulent account linking

Fraudulent account linking involves unauthorized connections between financial accounts and third-party applications orchestrated by fraudsters.

Open banking fraudulent account linking fraud can occur in two primary ways:

• By linking a victim's financial account to an application controlled by the fraudster, allowing unauthorized access and control over the victim's funds.
• By linking the fraudster's financial account to a victim's third-party app, enabling illicit transfer of funds out of the application into the fraudster's account.

In both scenarios, the core of the fraud lies in exploiting the account linking process to gain unauthorized financial access and control.

Once fraudsters establish the fraudulent connection, they gain open access to the victim's account and can initiate unauthorized withdrawals or transfers. Fraudsters can steal substantial sums of money before the victim becomes aware of the breach due to the illicit activity going unnoticed for a significant period.

The impacts of fraudulent account linking

With an estimated 58% of consumers linking their bank accounts to third-party platforms, the impact of fraudulent account linking has grown. Account takeover through fraudulent third-party linking can impact consumers and fintech companies alike.

Unauthorized transactions that maliciously drain the victims' accounts cause significant monetary setbacks, impacting their financial stability. Data breaches and fraudulent account linking expose businesses to significant reputational damage that can lead to customer attrition, negative media coverage, and regulatory sanctions.

Fintech companies must address this threat for open banking to continue to grow and thrive. How can fintech companies prevent fraudulent account linking?

How to prevent fraudulent account linking

Fintech companies are responsible for implementing processes that reliably verify customer consent and account ownership during onboarding and account linking. Proactive measures can prevent unauthorized use of open banking and account takeover through fraudulent linking. Some key steps to consider include:

Security Best Practices

Strengthen API security using best practices and industry standards like those mentioned above. These standards provide strict rules and go through rigorous testing to protect against common attack vectors and ensure secure data transmission between financial services and third-party apps. Additionally, regularly update security protocols and monitor for suspicious activity, such as an unusually high number of requests from a single source, which could indicate an attempted breach.

Multi-Factor Authentication (MFA)

Incorporate multi-factor authentication to ensure the person linking the account is the legitimate owner. This extra factor could involve a combination of something they know (password or PIN), something they have (a phone or hardware token), and something they are (biometric verification). This approach ensures that even if a password is compromised, unauthorized access is still blocked.

Device Analysis

Use device attributes to check IP blocklists and detect potentially suspicious activity such as browser tampering, app cloning, or virtual machine use when a user attempts to link an account. Additionally, store a device fingerprint alongside the user's account when they access your service so you can compare new account linking requests and flag the use of unrecognized devices.

By analyzing the unique characteristics of the device used for account linking, fintech companies can flag unusual patterns and request additional confirmation of authenticity.

const db = require("./database");

// Check if the device is recognized for this account
async function checkAccountDevices(accountId, deviceId) {
  let query = `SELECT * FROM account_devices WHERE accountId = $1 AND device_id = $2`;
  let result = await db.query(query, [accountId, deviceId]);

  if (result.rows.length == 0) {
    // This device has never been used with this account before.
    recordDeviceAttempt(accountId, deviceId);
    return requestAdditionalAuthentication();
  } else {
    return allowLogin();
  }
}

Consent Management

Develop transparent and secure consent management and notification processes. Users should be able to easily view and manage the accounts linked to their profiles. Any change or new account link should trigger a multi-factor authentication process. Additionally, provide clear notifications for account linking requests, allowing users to deny access if they did not initiate the request.

Education and Awareness

Regularly educate your users about the risks and signs of fraudulent activities and how to recognize phishing attempts and secure account information. Regularly update this content and make it easily accessible through your app or website. Knowledgeable users are less likely to fall for common fraud tactics that can lead to fraudulent account linking.

Preventing fraudulent account linking with Fingerprint

Device intelligence software offers invaluable insights into device behavior and characteristics, enabling effective detection and prevention measures against fraud. Fingerprint's Device Intelligence Platform offers strong visitor identification by analyzing more than 70 signals with fuzzy matching algorithms and server-side techniques. These identifiers for visitors are 99.5% accurate and maintain stability over extended periods, offering distinct identifiers for each device or browser that engages with your open banking system.

Fingerprint Smart Signals offer practical insights into visitor behavior, including detecting the use of privacy browsers like Tor or browser tampering and matching with IP blocklists, among others. Combined, these signals and device identifiers aid in creating robust security protocols and identifying abnormal visitor behavior.

Conclusion

Fintech companies can detect and prevent fraudulent account linking by integrating device intelligence into open banking security systems, protecting their business and customers. Get started with a free trial to test out Fingerprint yourself, or contact our sales team to learn more about how Fingerprint can help protect your customers and prevent fraudulent account linking.