Faster payments took center stage at NACHA Payments 2017 in Austin last week – but Open Banking was the undercurrent that bubbled up and consumed much of the conversation during the event.
In Open Banking, financial institutions (FIs) expose APIs to third party providers (TPPs), allowing them to initiate transactions which directly access customer and business accounts.
In a retail world, this will take the shape of consumers making e-commerce purchases or initiating instant P2P transactions through the Zelle app, both drawing directly from their DDA accounts – no card rails needed.
Meanwhile in the commercial banking world, open APIs will offer corporates direct access for processing – but it will also further enable third party senders who do payment processing, such as payroll, on behalf of businesses.
As this third-party ecosystem takes shape, two phenomena become apparent – Open Banking introduces exciting new business opportunities for FIs, but it also poses new fraud threats and risks that are still difficult to define and measure.
Open Banking “Flavored” Fraud Risk
In fraud, there is a bottom line: introducing third parties into banking simply adds a new layer of complexity to the detection mix.
Among the new concerns:
Account takeover through the third party: Fraudsters will use stolen credentials to initiate transactions through third parties.
TPP mobile application spoofing – If consumers fall for spoofed banking apps, it’ll be even easier to fall for a fake instant P2P or mobile wallet app.
Digital assistants: As Alexa and Siri payment initiation take hold, we’ll see attacks on this new “browser” type. With Alexa, we may see attacks on the related e-commerce ecosystem.
API Hacking: Fraudsters may hack a legitimate TPP and send requests on its behalf.
These are just a few examples of potential open banking fraud, but it’s more important to note that with any new set of services, there are unforeseen fraud threats – we expect to see brand new attack types emerge.
NACHA Sets Example with TPP Due Diligence
Corporates have long-used third parties to handle payment processing services – and too often there is little or no due diligence at the time of onboarding these organizations.
NACHA is set to change this, establishing a series of Third Party Sender rules, which require TPPs to register with the governing organization. The goal is to assess TPP risk and allow FIs to make better decisions.
NACHA will also provide a certification process, which will require TPPs to provide quarterly financial statements and undergo periodic audits. In turn, NACHA will establish a list of certified TPPs – and will also de-certify TPPs when they pose risk or potential for lack of solvency.
TPP Risk Assessment as Fraud Strategy
NACHA’s rules attempt to contain risk around only those TPPs enabling ACH services. But as the Open Banking ecosystem takes shape, we’ll need a similar due diligence process and then ongoing risk scoring for third parties.
In Europe, where Open Banking is mandated by PSD2 regulations, it’s likely we’ll see a multinational TPP registry. In the U.S. no such universal registry is likely to take place without some organization getting involved.
Instead, U.S. FIs will need to incorporate entity risk scoring into their fraud detection strategies. This could take the shape of implementing due diligence tools for third parties, or in using consortium analytics monitoring to establish fraud patterns linked to TPPs.
Expanded Fraud Analytics for an Open Banking World
Beyond assessing TPP risk, FIs will need fraud analytics optimized for open banking as another channel with unique transactions.
Where today FIs run real-time risk monitoring for every transaction initiated in mobile, online, contact center and branch channels, they’ll now need to add open banking into the omni-channel mix.
Open banking fraud analytics should consider a wide range of data for risk assessment, including the point of TPP enrollment or provisioning, the typical relationships between consumers or businesses and TPPs, typical payment patterns, and non-monetary, among many others.
And maybe most importantly, open banking will call for agility in analytics as fraud patterns shift quickly.
Intersection of Faster Payments, Open Banking
At next year’s NACHA, I expect to see both faster payments and open banking making headlines – but this time we’ll see their intersection more clearly. Along with that, I predict that we will also have a clearer idea of emerging fraud threats and detection strategies, which will have to be well underway by that time.