Open banking will expose financial institutions to the ‘weakest link’ problem in a whole new way, and the variety of consequences could upend how banks and credit unions manage account protection altogether. New regulations appear to be on the collective doorsteps of US financial institutions. Yet if they are not ready, all the efforts the industry has made in shaping the direction of the upcoming open banking regulations will be nothing more than a Pyrrhic victory.
The evolution of US open banking
Only a few years ago, if you asked anyone leading the security team at a major US financial institution to give you a short list of items keeping them up at night, one of them would surely be screen scraping. Bank customers using third-party budgeting tools and investment platforms were sharing login credentials with these companies to enable access to their primary checking and savings accounts. In doing so, they were broadening the attack surface for their own banks by creating a new risk: the loss of their login credentials if the third-party was somehow compromised.
In response, financial institutions first attempted the old ‘Fire and Brimstone’ approach with customers. Their accountholders soon began to receive warnings that sharing their login credentials with a third party would mean that they would not be reimbursed for subsequent cases of fraud that may occur. Suffice it to say, that went over really well (read: poorly) with customers, the media, and regulators.
Fortunately (or possibly not as we will cover later), new services that utilized API-based connectivity to exchange data between financial institutions and third parties sprung up and were gaining popularity. With the specter of EU-style open banking regulation hanging over their heads, US bankers eventually embraced this approach – even launching their own versions of these types of services. But even now, the utilization of these services is largely limited to sharing transaction histories and enabling payment transfers.
Things are about to change
The Consumer Financial Protection Bureau (CFPB) is proposing to institute new rules that would mandate a way for consumers to ‘vote with their feet’ and take their data with them as they leave one financial institution for another. To be enacted this year, such a change will inspire a whole new wave of scam activity as criminals realize the potential for misleading consumers and misusing this new capability.
Soon, criminals will be arming themselves with a tool that enables consumers to not just move money, but entire accounts’ worth of funds with a couple of clicks. As a result, we will all see our inboxes flooded with clever attempts to manipulate us as the weakest link in a bank or credit union’s security chain.
These attempts could include:
• Offers to migrate our checking and savings accounts to a new bank or credit union for some sort of account opening bonus, when we may be doing nothing more than moving funds to an account they control.
• Using the promise of investments with astronomical returns that encourage consumers to migrate funds – or entire retirement accounts – into some sort of ‘custodial account’ which is just an account at another bank or credit union belonging to a money mule. Maybe victims even see some early returns ‘on paper’ and they subsequently move more funds until they suddenly disappear.
• Work from home schemes, such as payment scams that turn consumers into money mules. In such a scenario, the new employee is encouraged to migrate their account to a financial institution ‘where they do business’. Yet scammers chose the institution because it is known for weak account controls and oversight, which they use to their advantage to deposit bogus checks and move money from other victim accounts.
At least 100 million consumers have authorized a third party to access their account data. Source: Consumer Financial Protection Bureau |
You think managing risk is hard now?
Changes in the financial crime ecosystem often affect how financial institutions manage risk, but I’d argue that the paradigm change that is set to occur is unlike anything we’ve seen – especially when it comes to planning for and mitigating the risk that comes with new accounts.
Consider how liability is shifting towards the receiving bank, placing more of the onus on those institutions to better manage the risk that comes from checks, as well as payments made via Zelle. One of the leading pieces of guidance has been for financial institutions to bolster their identity proofing process for demand deposit accounts. Yet open banking will allow accounts opened elsewhere – using different IDV and mule detection controls – to be transferred to your institution!
Ultimately, it will be the controls that an institution has in place beyond those used for detecting application fraud which will dictate if they are targeted. Bankers need to ask themselves if what they are doing now could incentivize criminals to migrate accounts and funds to their institution. We are already seeing this dynamic play out with mule accounts, and open banking will turbocharge the threat.
So, what is a banker to do?
Upon the adoption of open banking, it will start with scrutinizing every account, new, old, or transferred, for scam-related activity without being overly reliant on historical transaction activity or account opening/day two controls (for identifying and weeding out bad actors). But scrutiny will need to be highest for newly migrated accounts, with limits and controls that more closely match brand new accounts as opposed to established ones. The expectations that consumers may have – after all, this is an account they have used for years – need to be transparently managed so that they understand why certain changes have been put in place. In doing so, banks will also put off scammers and fraudsters who have targeted them in the first place.
That’s not to say there isn’t a role for financial institutions when it comes to managing the risks that come from accounts leaving their four walls, either. The last thing anyone wants is to be known as ‘that bank’ or ‘that credit union’ which is allowing new accounts to be opened with poor KYC and fraud controls. Ironically, while that will lead to the kind of attention from regulators that no institution wants, strong controls will need to be in place for all attempts to migrate funds, and especially whole accounts, to a new institution – without raising the ire of regulators who could view heavy-handed approaches as a way to keep customers from leaving. Taking a well-documented, evidence-based approach will be key to keeping a clean house and for keeping regulators at bay.
Change is the only real constant
It has been said time and again, but anytime a new technology or financial product is introduced, crime will follow very quickly. We need to be ready to adapt to changes throughout our business, and that includes managing the risk something new can create. The only question is whether you’ll be ahead of the threat, or if you need to learn the hard way.