Sachin Parate,Latha Thamma Reddi,Shashank Agarwal,Manoj Suryadevara

DOI: https://doi.org/10.48175/ijarsct-13165

2023-10-23

Abstract:The financial services industry is undergoing a seismic shift, driven by the convergence of technological advancements, regulatory mandates, and changing consumer expectations. Central to this transformation is the emergence of Open Banking, a strategic initiative reshaping traditional banking paradigms by advocating for collaboration, interoperability, and customer-centricity. Open Banking, fundamentally facilitated through standardized Application Programming Interfaces (APIs), enables secure and seamless sharing of customer-permissioned financial data and services between traditional financial institutions and external third-party developers. Concurrently, the API economy has emerged as a critical enabler of this collaborative model, offering a standardized interface that underpins the integration of diverse systems, allowing for the efficient exchange of data and functionality. This scholarly article delves into the intertwined realms of Open Banking and the API economy, aiming to elucidate their collective role in propelling collaborative financial services innovation. Open Banking serves as a pivotal force, affording financial institutions a comprehensive view of their customers' financial landscapes, thereby fostering the creation of tailored, responsive, and innovative financial solutions. Complementing this, the API economy acts as the technical scaffolding that enables seamless data sharing and integration, engendering a more connected, agile, and innovative financial ecosystem. By tracing the evolution of Open Banking from its origins to its present-day global presence, this research highlights its transformative potential, emphasizing its capacity to spur competition, drive innovation, and enhance customer experiences. Moreover, the significance of the API economy is analyzed, shedding light on its pivotal role in establishing open, standardized interfaces, thereby promoting a culture of collaboration and innovation. In conclusion, this article envisions a future where the symbiotic relationship between Open Banking and the API economy fuels an era of collaborative financial services innovation, ultimately leading to a more inclusive, efficient, and customer-centric financial landscape

Mareike Heins,Georgios Rigopoulos

DOI: https://doi.org/10.56201/ijebm.v9.no5.2023.pg1.12

2024-02-09

Abstract:Open banking is a major innovation in financial industry and has been driven by technology developments, as well as legislation for financial data. Payment Systems Directive 2 (PSD2) has been a key initiative for European Union, aiming to increase competition and innovation among financial industry, by allowing the entry of third party licensed providers to the financial market. This is feasible by relaxing the data restrictions and ownership, and passing control over consumers, who may select among a wide set of service providers, and not only the traditional banks. Although, PSD2 and third party applications are in place, there seems that consumers do not adopt them widely. Also, it is not evident, if PSD2 has enabled the desired level of competition and innovation for the benefit if consumers. Due to lack of relevant works, this study, aims to explore the key factors that affect consumer adoption and at the same time examine the PSD2 effectiveness in the creation of a new landscape. A number of experts were interviewed and a qualitative analysis was followed. Results, indicate that key barriers to adoption are lack of awareness, data privacy and value proposition, while PSD2 seems that it has increased competition and innovation. Further studies can shed more light on those findings, in a wider perspective.

Daniel Fett,Pedram Hosseyni,Ralf Kuesters

DOI: https://doi.org/10.48550/arXiv.1901.11520

2019-02-01

Abstract:Forced by regulations and industry demand, banks worldwide are working to open their customers' online banking accounts to third-party services via web-based APIs. By using these so-called Open Banking APIs, third-party companies, such as FinTechs, are able to read information about and initiate payments from their users' bank accounts. One of the most promising standards in this segment is the OpenID Financial-grade API (FAPI), currently under development in an open process by the OpenID Foundation and backed by large industry partners. The FAPI is a profile of OAuth 2.0 designed for high-risk scenarios and aiming to be secure against very strong attackers. To achieve this level of security, the FAPI employs a range of mechanisms that have been developed to harden OAuth 2.0. In this paper, we perform a rigorous, systematic formal analysis of the security of the FAPI, based on the Web Infrastructure Model (WIM) proposed by Fett, Kuesters, and Schmitz. To this end, we first develop a precise model of the FAPI in the WIM, including different profiles and combinations of security features. We then use our model of the FAPI to precisely define central security properties. In an attempt to prove these properties, we uncover partly severe attacks, breaking authentication, authorization, and session integrity properties. We develop mitigations against these attacks and finally are able to formally prove the security of a fixed version of the FAPI. This analysis is an important contribution to the development of the FAPI since it helps to define exact security properties and attacker models, and to avoid severe security risks. Of independent interest, we also uncover weaknesses in the aforementioned security mechanisms for hardening OAuth 2.0. We illustrate that these mechanisms do not necessarily achieve the security properties they have been designed for.

Cryptography and Security

C. Cheh,Binbin Chen

DOI: https://doi.org/10.1109/SecDev51306.2021.00019

2021-10-01

Abstract:Modern web and mobile applications rely on an ever increasing set of services defined by their respective API (Application Programming Interface) specifications. The complexity of today’s APIs, in terms of scale and inter-dependency, poses a challenge for security analyses as it requires much manual effort to conduct a check for design flaws. In this work, we leverage the standardized OpenAPI specification as input and propose a semi-automatic approach to infer various key information about that API specification’s security issues. Our case study based on the OpenAPI specification of the Open Bank Project (consisting of 304 API calls and 402 data fields) shows that our approach can: 1) identify sensitive and insensitive data fields, 2) identify insecure or high-risk API calls that may leak sensitive data, and 3) calculate the exposure level of each data field and API call. In particular, we identified 31 sensitive data fields, 29 insufficiently protected API calls that access a subset of those sensitive data, and 34 high-risk API calls that may result in sensitive data exposure. Furthermore, our exposure level calculation shows that transactions-related fields generally have higher exposure level, hence requiring more scrutiny.

Computer Science

Phoebe Chen,Alfredo Cuzzocrea,Xiaoyong Du,Orhun Kara,Ting Liu,Krishna M. Sivalingam,Dominik Ślęzak,Takashi Washio,Xiaokang Yang,Junsong Yuan,Simone Diniz Junqueira Barbosa,Xueming Si,Hai Jin,Yi Sun,Jianming Zhu,Liehuang Zhu,Xianhua Song,Zeguang Lu Eds

DOI: https://doi.org/10.1007/978-981-15-3278-8

2020-01-01

Abstract:The concept of open banking has been a powerful trigger for the revolution in the financial services industry. When financial institutions disclose application programming interfaces (APIs) to third-party providers (TPPs), the biggest system risks concern issues such as malicious attack, data leakage and tampering, privacy disclosure and more. API is a new communication path for information systems, but it could be misused and tampered. To address this, we conceptualize a blockchain-based data sharing scheme for open banking named OBBC, in which the API’s information can be saved in a blockchain, that no one can dominate it. We propose an API consensus mechanism aims to ensures that the open API can’t be maliciously tampered. Moreover, zero knowledge proof and Merkel tree structure are used to realize that users’ privacy protection. In particular, we give the framework of our scheme and compare with existing data sharing schemes. We further implement a software prototype on fabric framework with real-world dataset. Experiment results show the feasibility, usability and scalability of our proposed open banking system.

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

Valeria Stefanelli,Francesco Manta,Pierluigi Toma

DOI: https://doi.org/10.48550/arXiv.2210.01109

2022-10-18

Abstract:Digitalization in many economic sectors drove the financial system to adapt to new paradigms of technological transformation. Moreover, the extant regulatory framework forced the financial system to reconsider its business models and its relationship with the market. Such reasons generated also in the banking sector a new model of competition within the ecosystem never seen before in this sector. The new ecosystem of banks and financial institutions lacks a common framework that not only synthesizes the development lines of open innovation in the banking sector, but also regarding the planification of strategic choices and organisation within the new ecosystems. The present study aims to inquire the strategic positioning of European banks toward their digital transformation strategies, by analysing the decision-making processes that occurred between 2015 and 2019. A qualitative analysis on partnerships and the adoption of Application Programming Interfaces (APIs) development in support of new service models was carried out. Results have relevant policy implications for regulators, linked to the business evolution and the risks of outsourcing, and managerial implications for the followers, specifically on the plan of service integration to diversify and boost their activities in the segment of customer relationship management and care, providing a better user experience.

General Finance

Yingsi Chen

DOI: https://doi.org/10.9734/ajess/2023/v45i3985

2023-06-22

Asian Journal of Education and Social Studies

Abstract:Open banking is a platform-based and ecological business model based on data sharing, which has the characteristics of "disruptive innovation". The value of data is mainly reflected in the fusion and mining on the basis of sharing, and the essence of open banking is data sharing. As a new key production factor driving the development of financial industry in the era of digital finance, personal data still has many challenges in the practice of open banking, such as data leakage risk, data sharing authorization risk, correlation risk of data sharing with third-party institutions, and lack of supervision risk. Based on the word frequency statistics and comparative analysis with non-bank financial institutions, the empirical study shows that China’s banking industry has significantly increased the construction of open banking since 2018, among which banks with poor profitability and high risk level regard open banking as an important direction of transformation and upgrading. However, open banking also brings new risks such as data leakage and network security and the empirical results also confirm that open banking construction significantly improves the probability of bank violations. Combining with the existing three types of compulsion, such as Self-regulatory, Self-regulatory l and boost the regulatory, this paper argues that it is suitable for our country to adopt the boost regulatory mode.

Sangseung Oh,Gyongchan Chung,Keuntae Cho

DOI: https://doi.org/10.3390/su16167187

IF: 3.9

2024-08-22

Sustainability

Abstract:Fintech facilitates financial inclusion by introducing new sustainable and accessible business models in developing countries. Open banking API technology is used by various fintech businesses in both developing and developed countries, with varying effects on financial markets. It changes the financial market distribution structure by separating financial product manufacturing and distribution and intensifying competition between traditional financial institutions and fintech companies. Fintech companies innovate by using this tool to create new business models. In December 2019, Korea established a standardized "open banking API platform", sharing an interbank payment network with fintech companies. It has since shown explosive growth, surpassing the trading volume of the UK, the country that introduced open banking APIs for the first time. This study analyzes new business models fintech companies created using this API technology. Based on existing literature, statistics from the platform operator (the Korea Financial Telecommunications and Clearings Institute), and investigations of 30 Korean fintech mobile applications, this study analyzes new fintech business models that provide financial services using this platform. These companies create sustainable business models by combining multiple APIs. Four representative business models (simple funds transfer, simple payment, cross-border remittance, and asset management) are analyzed to reveal how fintech companies create business models with open APIs.

environmental sciences,environmental studies,green & sustainable science & technology

P. Laplante,M. Kassab

DOI: https://doi.org/10.1109/MC.2021.3108402

2022-01-01

Computer

Abstract:Open banking (OB) is a special kind of financial ecosystem governed by certain security profiles, application interfaces, and guidelines with the objective of improving customer choices and experiences. OB also makes it easier for new entries into the financial business sector.

Computer Science,Business

Olajide Soji Osundare,Adebimpe Bolatito Ige

DOI: https://doi.org/10.56781/ijsrst.2024.5.1.0029

2024-08-30

Abstract:This paper explores the critical need for a robust security framework in inter-bank data transfer systems within the financial services sector. It reviews current security measures, identifies key vulnerabilities, and examines existing standards and protocols such as SWIFT and ISO 20022. Major security threats, including cyber-attacks and insider risks, are analyzed alongside technological, operational, and regulatory challenges. The impact of emerging technologies like blockchain and AI on security is discussed. Recommendations are provided for financial institutions to enhance security practices and for regulators to strengthen policy frameworks. The paper also highlights future research directions to address evolving security challenges in the financial sector.

Joris Hensen,Brigitte Kötting

DOI: https://doi.org/10.69554/srcl3482

2022-03-01

Abstract:Consumers’ needs have changed significantly in recent years, and so have their expectations of financial services. Not only does a large part of their life take place online, but digital apps and products are also integrated into everyday situations. Instead of offering isolated products on a website, companies therefore began to address consumers right at their ‘point of need’ — on e-commerce platforms, in apps from mobility service providers or on comparison portals. Banks can adopt this approach by embedding financial services into the products of non-bank companies, thus offering seamless processes and an increased level of convenience to their clients. Open banking is what provides the foundation for this concept of ‘embedded finance’, by allowing third parties to access banking data via technical interfaces — so-called application programming interfaces (APIs). In 2015, Deutsche Bank decided to take advantage of the opportunities offered by open banking. Through an API programme, the bank enables its partners and customers to integrate banking data as well as financial products and services into their own applications and products. Thus, partners can offer financial services to their customers directly at the point of need. The work of Deutsche Bank’s API Program has provided valuable insights into how banks can successfully open up and even take the next steps towards embedded finance. This paper looks at Deutsche Bank’s experience with open banking and the possibilities and opportunities for embedded finance and presents best practice examples for the necessary internal transformation of financial institutions.

Khaled A. M. Ahmed,Sabry F. Saraya,John F. Wanis,Amr M. T. Ali-Eldin

DOI: https://doi.org/10.3390/fi15060208

2023-06-08

Future Internet

Abstract:Open finance is evolving and extending open banking. This creates a large context that implies a financial and identity data exchange paradigm, which faces challenges to balance customer experience, security, and the self-control over personal identity information. We propose Self-Sovereign Banking Identity (SSBI), a Blockchain-based self-sovereign identity (SSI) to secure private data sharing by utilizing trusted customer's banking cards as a key storage and identity transaction-signing enclave. The design and implementation of the SSI framework is based on the Veramo SDK and Ethereum to overcome the limitation of signing curve availability on the current banking Java Cards needed for Hyperledger Indy. SSBI uses the elliptic curve SECP256K1 for transaction signing, which exists for several payment cards in the market. SSBI enables automated financial services and trust in the service provider communication. This work analyzes the flow and framework components, and evaluates the usability, integration, and performance in terms of throughput, latency, security, and complexity. Furthermore, the proposed approach is compared with related solutions. The presented prototype implementation is based on a test Ethereum network and signing transactions on the banking card. The preliminary results show that SSBI provides an effective solution for integrating the customer's banking cards to secure open banking identity exchange. Furthermore, it allows the integration of several scenarios to support trusted open banking. The Blockchain layer settings need to be scaled and improved before real-world implementation.

Karen Elliott,Kovila Coopamootoo,Edward Curran,Paul Ezhilchelvan,Samantha Finnigan,Dave Horsfall,Zhichao Ma,Magdalene Ng,Tasos Spiliotopoulos,Han Wu,Aad van Moorsel

DOI: https://doi.org/10.1017/dap.2022.23

2022-10-16

Abstract:Financial inclusion depends on providing adjusted services for citizens with disclosed vulnerabilities. At the same time, the financial industry needs to adhere to a strict regulatory framework, which is often in conflict with the desire for inclusive, adaptive, and privacy-preserving services. In this article we study how this tension impacts the deployment of privacy-sensitive technologies aimed at financial inclusion. We conduct a qualitative study with banking experts to understand their perspectives on service development for financial inclusion. We build and demonstrate a prototype solution based on open source decentralized identifiers and verifiable credentials software and report on feedback from the banking experts on this system. The technology is promising thanks to its selective disclosure of vulnerabilities to the full control of the individual. This supports GDPR requirements, but at the same time, there is a clear tension between introducing these technologies and fulfilling other regulatory requirements, particularly with respect to "Know Your Customer." We consider the policy implications stemming from these tensions and provide guidelines for the further design of related technologies.

Nathan Van de Velde,N. Vandezande,P. Valcke

2015-09-23

Abstract:The research looked at which third party payment providers (TPP’s) are covered by the PSD2 and AMLD4 directives, the consequences thereof, as well as to what extent such coverage goes; and sought to analyse the potential for the regulation of cryptocurrency in terms of combatting money laundering and terrorist financing. TPP’s gain possession of a significant amount of sensitive information, for instance by providing a gateway from which consumers log in to their bank accounts using their unique identifiers and credentials. As a result, these entities are drawing increasingly more attention from legislators and regulators.Under the framework of the PSD2, TPP’s will be subject to stringent regulatory standards similar to those placed on traditional payment service providers under the PSD. In the US, regulation of TPP’s must be assessed on a state-by-state basis. In Florida, for instance, they can be considered as money transmitters, thus putting them under that regulation, as well as the federal Bank Secrecy Act. In Asia, the number of TPP’s has grown significantly over the past years. In China, these actors are regulated by the People’s Bank of China, and are subjected to a number of requirements similar to those found in the EU, such as minimum capital requirements and anti-money laundering rules.Another notable development is that of alternative payment methods – a prime example here are cryptocurrencies such as bitcoin. The bitcoin ecosystem is decentralized, meaning that no single entity controls the system. Currently, there exists no convincing arguments to consider virtual currencies as regulated under the EU’s Payment Services Directive or the Second E-money Directive. While the PSD2 does introduce new terminology and significantly amended scope exemptions compared to the original Payment Services Directive, there is no wider inclusion of virtual currencies under its scope. A similar argument can be made for the recently adopted AMLD4, where virtual currencies have been omitted from its scope despite earlier signs that this development may be included. The researchers conclude their paper with several public and private sector recommendations.

Law,Business

Panagiotis Chatzigiannis,Wanyun Catherine Gu,Srinivasan Raghuraman,Peter Rindal,Mahdi Zamani

2023-06-17

Abstract:Today, financial institutions (FIs) store and share consumers' financial data for various reasons such as offering loans, processing payments, and protecting against fraud and financial crime. Such sharing of sensitive data have been subject to data breaches in the past decade. While some regulations (e.g., GDPR, FCRA, and CCPA) help to prevent institutions from freely sharing clients' sensitive information, some regulations (e.g., BSA 1970) require FIs to share certain financial data with government agencies to combat financial crime. This creates an inherent tension between the privacy and the integrity of financial transactions. In the past decade, significant progress has been made in building efficient privacy-enhancing technologies that allow computer systems and networks to validate encrypted data automatically. In this paper, we investigate some of these technologies to identify the benefits and limitations of each, in particular, for use in data sharing among FIs. As a case study, we look into the emerging area of Central Bank Digital Currencies (CBDCs) and how privacy-enhancing technologies can be integrated into the CBDC architecture. Our study, however, is not limited to CBDCs and can be applied to other financial scenarios with tokenized bank deposits such as cross-border payments, real-time settlements, and card payments.

Cryptography and Security

Oscar Borgogno,Giuseppe Colangelo

DOI: https://doi.org/10.2139/ssrn.3591205

2020-01-01

SSRN Electronic Journal

Abstract:The European wave of regulatory interventions aimed at promoting access to data and data sharing shows no signs of stopping. However, concerns are being expressed about alleged unintended consequences of data portability in financial markets. In particular, new calls have been voiced to contain the engagement of BigTech platforms with retail banking. The paper argues that asymmetrical regulatory measures imposed on BigTechs entry in the financial industry are likely to tilt the market in favor of incumbent banks to the detriment of small players as well as consumer welfare. Such an early regulatory intervention would actively help larger traditional banks to entrench their market power further, ultimately frustrating the pro-competitive potential of the access to account rule enshrined in the revised Payment Service Directive (PSD2).

Rami Haddad,Rim El Malki,Daniel Cozma

2024-06-04

Abstract:APIs have become the prominent technology of choice for achieving inter-service communications. The growth of API deployments has driven the urgency in addressing its lack of security standards. API Security is a topic for concern given the absence of standardized authorization in the OpenAPI standard, improper authorization opens the possibility for known and unknown vulnerabilities, which in the past years have been exploited by malicious actors resulting in data loss. This paper examines the number one vulnerability in API Security: Broken Object Level Authorization(BOLA), and proposes methods and tools to reduce the prevalence of this vulnerability. BOLA affects various API frameworks, our scope is fixated on the OpenAPI Specification(OAS). The OAS is a standard for describing and implementing APIs; popular OAS Implementations are FastAPI, Connexion (Flask), and many more. These implementations carry the pros and cons that are associated with the OASs knowledge of API properties. The Open API Specifications security properties do not address object authorization and provide no standardized approach to define such object properties. This leaves object-level security at the mercy of developers, which presents an increased risk of unintentionally creating attack vectors. Our aim is to tackle this void by introducing 1) the OAS ESS (OpenAPI Specification Extended Security Scheme) which includes declarative security controls for objects in OAS (design-based approach), and 2) an authorization module that can be imported to API services (Flask/FastAPI) to enforce authorization checks at the object level (development-based approach). When building an API service, a developer can start with the API design (specification) or its code. In both cases, a set of mechanisms are introduced to help developers mitigate and reduce the prevalence of BOLA.

Cryptography and Security,Programming Languages

Polra Victor Falade,Grace Bunmi Ogundele

DOI: https://doi.org/10.48550/arXiv.2302.07586

2023-02-15

Cryptography and Security

Abstract:There is a rapid increase in the number of mobile banking applications' users due to an increase in smart mobile devices. Mobile banking is a financial transaction and service offered through mobile devices. Almost all financial institutions now provide mobile banking services to their customers. However, the security of mobile banking applications is of huge concern because of the amount of personal data and information they collect. If an attacker gets hold of personal information, they can access bank payment or card accounts. This research aims to analyze the vulnerability of the UK digital banks' applications to identify vulnerabilities in the apps and proffer countermeasures that can help improve the security of the bank applications. Androbugs, a vulnerability scanner, was used to analyze the vulnerability of six digital banks' android applications. Starling, Monese, Atom bank, Transferwise, Monzo, and Revolut were scanned. All the scanned digital banks' applications have vulnerabilities; however, some have more vulnerabilities than others. For example, Revolut's mobile application has the highest number of identified vulnerabilities. Therefore, there is need for more security in the digital banks' applications as well as other mobile banking applications.

Savina Dine Kim,Galina Andreeva,Michael Rovatsos

2023-08-01

Abstract:This research article analyses and demonstrates the hidden implications for fairness of seemingly neutral data coupled with powerful technology, such as machine learning (ML), using Open Banking as an example. Open Banking has ignited a revolution in financial services, opening new opportunities for customer acquisition, management, retention, and risk assessment. However, the granularity of transaction data holds potential for harm where unnoticed proxies for sensitive and prohibited characteristics may lead to indirect discrimination. Against this backdrop, we investigate the dimensions of financial vulnerability (FV), a global concern resulting from COVID-19 and rising inflation. Specifically, we look to understand the behavioral elements leading up to FV and its impact on at-risk, disadvantaged groups through the lens of fair interpretation. Using a unique dataset from a UK FinTech lender, we demonstrate the power of fine-grained transaction data while simultaneously cautioning its safe usage. Three ML classifiers are compared in predicting the likelihood of FV, and groups exhibiting different magnitudes and forms of FV are identified via clustering to highlight the effects of feature combination. Our results indicate that engineered features of financial behavior can be predictive of omitted personal information, particularly sensitive or protected characteristics, shedding light on the hidden dangers of Open Banking data. We discuss the implications and conclude fairness via unawareness is ineffective in this new technological environment.

Machine Learning,Computers and Society