Fraud Prevention in an Open Ecosystem

Banks have been custodians of people’s finances and their financial data for centuries.

Over time, they invested heavily in building fortresses around these finances and data. From securing the network, to encrypting data, to setting up strong access control mechanisms, and  adhering to standards; Banks went all the way. At least the good ones did.

While these fortresses around banks made it increasingly difficult for fraudsters to penetrate their systems, fraudsters started attacking the weakest link – the customer. This was easy. There were no firewalls, encryption, or standards to worry about. Fraudsters posed as government organizations, credit risk agencies, a relative, or whatever it took to trick the customer into handing over their credentials. [Identity Thief -The Scam]

Once they had the credentials, penetrating the fortresses around their banks was a breeze.

Undeterred, the good banks started building mini-fortresses around their customers to combat fraud. 2 Factor Authentication was a great tool. It required the customer to use a combination of something they knew (credentials), something they had (device), and something they were (biometrics) to access their information. The stolen credentials were of little use now, without the second factor. Few banks even started making good use of their data and profiled customers and their transactional behaviors so that any abnormal activity got flagged immediately.

Image 1

And banks looked at all the good work they had done, and it was very good.

And then came the Networked Ecosystems!

Image 2

As ecosystems started developing around banks where service providers (mostly fintechs) offered complementary services to banking, for a lack of an alternative, they would request a customer for their credentials in exchange for the services they provided. The good guys used the credentials to login as the customer and screen scrape the data from the interface and use that data to provide a service (e.g.: personal finance management). The bad guys used the credentials for fraud.

There was a quick fix to that; Regulated Open Banking (e.g.: PSD2). It got rid of screen scraping by mandating all banks to provide APIs to read data and initiate payments on behalf of customers, with customer consent. They also introduced an accreditation mechanism so that only credible entities would be allowed to participate in the ecosystem.

Problem fixed? Not quite!

Even though the ecosystem enables all these new experiences and useful services for consumers, it’s also opening up for an order of magnitude of new occurrences of fraud!

Accreditation and adhering to basic standards do not necessarily enable fintechs to protect customer data the same way banks do. Financial data is shared across the ecosystem but is now much easier to penetrate through fintech applications in the absence of the type of fortresses built around banks.

The presence of digital identities can certainly halve the problem. This would consolidate identities as well as the authentication journey across all entities and remove duplicity and reduce allowance for fraudulent activity.

But the most powerful anti-fraud mechanism for the ecosystem would be to use its networked architecture to enable easy access to APIs for risk assessments, fraud checks, fraud data enriching and sharing. This collaboration enables a much more powerful and efficient fraud prevention system in the same way it enables customer experiences that could not be delivered by a single entity.

As banks participate in networked ecosystems (e.g., Open Banking) they must be aware of the new vulnerabilities that they and their customers may be exposed to through the ecosystem. The banks that will thrive will be those that encourage and participate in ecosystem fraud prevention services that protect them, their partners, and their customers at large.