Finances are undoubtedly one of the areas of life in which most people attach the most importance to data protection. That's understandable, after all it's all about their own money. The credibility of banks and financial institutions is closely linked to how well they secure digital customer data – especially in view of developments in Open Banking. 

The United Kingdom is leading the way in Europe when it comes to finance: the Open Banking initiative came into force in January 2018. The nine largest banks in the country – HSBC, Barclays, RBS, Santander, Bank of Ireland, Allied Irish Bank, Danske, Lloyds and Nationwide – are required to make their customers' data available in a secure and standardized form. This will facilitate the exchange of information between financial institutions and supervisors. Financial institutions must also grant third party providers access to payment transactions and account balances via an interface (API) if account holders so wish or allow. Start-ups in the fields of FinTech, telecommunications and data processing are officially recognized as participants in the payment transactions market and can carry out transactions on behalf of a customer. They can also offer products and services based on the customer data provided. The new regulation is intended to make working with their money enormously easier for bank customers. For example, dashboard apps are now possible that provide a complete overview of your financial situation, even if your own money is with different banks. This also makes it easier to compare different bank offers, take out loans and pay online. Initially, sharing is limited to account information. In the next two years, however, the expansion to credit cards and other payment methods is planned.

In the United Kingdom, the non-profit organisation Open Banking Limited is responsible for implementing the new system. Its trustee Imran Gulamhuseinwala sees the new regulation as an opportunity for bank clients to make more informed decisions about their finances: "People pay too much for their overdraft; their money is in accounts that earn no interest; they rarely change banks, even when there are better alternatives. Open Banking is the UK version of a comprehensive European Union directive, the Payment Services Directive 2 (PSD2). The EU directive only requires the opening of bank data to third parties; the UK has gone one step further and requires it to be made available in a standard format. Some banks readily comply with the new rules: Danske Bank, for example, provides its own API information website. In Scandinavia Nordea offers an even more comprehensive example including public documentation.

Data protection Is more important than ever before

However, open API frameworks for third parties also mean that financial institutions have to be more concerned than ever about the security of their customer data. For APIs, "similar security controls should be provided as for digital banking", advises the management consultancy Accenture. Financial institutions, as well as third party providers who want to use customer data, must guarantee maximum security while processing and storing personal data – especially since the General Data Protection Regulation (GDPR) is in effect.

The use of transport layer encryption such as TLS for secure communication is only the first step. In addition to secure user authentication, financial institutions must protect themselves against a range of attack vectors. Financial institutions should rely on open standards and proven security solutions that they can implement themselves. This ensures that the required security needs are completely met. Another important point is that standards are subject to changes. Constant adaptations and improvements to standard formats mean that security solutions must be flexible. Companies that focus on flexibility right from the start can save themselves expensive change projects later on. With an API proxy solution, security challenges such as SSL client-server authentication and smart card security can be overcome.

Finally, financial institutions must never forget the basis of good data security: the protection of user data in their own applications. Encrypting the information makes it useless in the event of data loss. In addition, care must be taken to strictly separate application data and key management. This is the only way for an institute to retain control over whether application administrators also have access to personal data in plain text.

Recommended for You

Free eBook: Global Compliance - What the C-Suite Should Know about Compliance Regulations When Moving to Cloud Services