Open Banking is now here in the UK, although not yet completely supported by all high-street banks.
As new companies and services are created, we will soon be able to do ever more with our bank details, from account aggregation apps to creating new kinds of payment rules. Not only does this mean a change in what can be done directly from our bank accounts, it means our bank account details themselves are now the source data we use to make payments. This is important, because it changes the power dynamic for criminals when choosing what to target.
Electronic payments and Direct Debit
In the past, only a customer’s bank could make a payment from an account. Then, we had Direct Debit, which allowed companies to take money from customers’ accounts on a regular basis. This mechanism, while powerful, has strong controls on how and when payments are made; it is never ad hoc or without notice, and can be refunded in every case under the Direct Debit Guarantee.
Enter cards and PCI DSS
The only way ad hoc payments could be initiated by non-banks was through credit cards. This made credit card data valuable, and so it naturally became a target for criminals. 2017 has seen over £1 billion stolen from bank accounts through credit and debit card fraud according to recent research.
To combat fraudulent behaviour, the industry got together to create the Payment Card Industry Data Security Standard (PCI DSS), which aimed to ensure that organisations processing and storing credit card details were vetted, or at least worked to specific data and information security standards. The card brands (Visa, MasterCard, American Express, Discover and JCB) first created their own standards with a similar aim of achieving a minimum level of security. The Payment Card Industry Security Council (PCI SSC) was then formed in 2006 to align the brands’ policies, which led to the creation of the PCI DSS.
Open Banking – a new target for criminals?
With the rise in Open Banking, we spin this around again. Bank account data could well become the most convenient source mechanism for transactions and payments. No matter the security we put in place, bank account data may become as attractive to criminals of the future as credit card data was in the past.
My question to the industry is: do we need a PCI equivalent standard for bank account data?
The UK Financial Conduct Authority has been increasing its accreditation requirements for providers, but I’m not sure this is sufficient. Right now, bank account data can be treated and processed with no more ceremony than any other personal data. Is this good enough given how much more useful such data may become? Responsible processors such as SmartDebit have always treated bank account data with the same care as credit card data, but that isn’t the case universally and there are no industry standards in place to ensure bank data is stored securely.
My prediction is that this lack of security regulation on bank account data will survive a couple of high-profile breaches before the industry and regulators take action. If they don’t, nascent confidence in Open Banking as a framework could start to collapse. I just hope it’s not my bank details caught up in the news that eventually highlights the way.