- RISKS AND CHALLENGES
风险和挑战
The exchange of sensitive data across multiple parties gives rise to challenges and risks ranging from consumer-related concerns to data-oriented threats, since opening up the marketplace increases the attack surface exposed to cyber criminals.
跨多方交换敏感数据会带来挑战和风险,从相关消费者的关注到面向数据的威胁,因为开放市场会给网络罪犯增加被暴露的攻击点。
Customer Adoption Challenges
客户接纳挑战
“Customer inertia is an entrenched feature of the banking system.” Max von Bismarck, Chief Business Officer at Deposit Solutions, notes that in the UK, 85% of current accounts remain with the five largest banks, despite the regulatory efforts to diversify this.
“客户惯性是银行系统的固有特征。”Deposit Solutions首席商务官Max von Bismarck指出,在英国,监管部门正在努力实现多元化,但85%的活期账户仍然在五大银行。Trust in the robustness of data security is limited. Baby boomers, for example, have been found reluctant to share information via bank account aggregation apps, even though they have the most account providers on average to track. Any news-worthy system breach could set back adoption.
对于数据安全的健壮性信任是有限的。例如,婴儿潮一代被发现不愿意通过银行帐户聚合应用共享信息,即使他们平均每人有很多帐户要跟踪。任何上新闻的系统泄漏都可能导致推迟接纳。
(注:Baby boomers 指1946年至1964年间在世界范围内出生的人)
- The Global Data Protection Regulation (GDPR) has raised the bar for individuals to control which parties compile and make use of their data and for how long. Nuances in how third-parties gain data access can create uncertainty about implementing and explaining the expected controls.
全球数据保护条例(GDPR)提高了个体标准,包括对于控制合作方编辑、使用数据、以及时间限制。第三方获取数据访问的细微差别可能会给实施和解释预期控制带来不确定性。
Mitigation
对策
Providers should focus on novel applications with exceptional service delivery foremost, while reserving moderate investment in public relations to explain “Open Banking.”
提供商首要应专注于新颖应用的卓越服务提供,同时保持适度的公关投入去解释(宣传)“开放银行”。Customers must be educated about the security measures inherent in Open Banking ID authentication and understand their rights over use of data about themselves.
客户必须被教育有关开放银行身份验证中固定的安全措施,并了解他们对自身数据使用的权利。-
Regulations and industry associations should direct industry players to commit to prompt and fully transparent reporting of breaches.
监管和行业协会应指导行业参与者承诺鼓励和完全透明地报告违规行为。
image.png
Governance Risks
治理风险
Third-party providers may store – or simply access – parties’ financial data. A data breach at their end at minimum exposes an individual account but worse, could provide clues to access weaknesses that lead to large-scale hacking. Legally or reputation wise, it is untested ground whether the TPP or account-holding bank generally will be regarded responsible.
第三方提供商可以存储 - 或轻易访问 - 合作方的金融数据。他们最终以最低限度的数据泄露暴露了个人帐户,但更糟糕的是这些提供了线索以获取导致大规模黑客攻击的弱点。无论是法律层面还是信誉认知,第三方服务提供商或账户持有银行通常都被认为是对此负责任的一方,这是毋庸置疑的。With so much focus on technical standards, the open banking world lags significantly in working through issues of inter-party responsibilities. “When it comes to devising governance rules for data sharing and protection, leading banks are largely working out the details on their own. It depends on their innovation & risk profile.” Vikas Agarwal, Financial Crime & Analytics Technology Leader, PwC
由于对技术标准的关注过多,开放银行在处理跨合作方责任问题方面存在明显滞后。“在设计数据共享和保护的治理规则方面,领先的银行主要是自己制定细节,根据他们的创新和风险框架。”普华永道金融犯罪与分析技术负责人Vikas Agarwal说。
Mitigation
对策
-
Banks should establish rigorous security and reporting certification procedures for potential partners, to protect their reputation and that of the entire industry.
银行应为潜在合作伙伴建立严格的安全和报告认证程序,以保护其乃至整个行业的声誉。
image.png
Cyber-security Risks
网络安全风险
Cyber-security: With Open Banking, banks’ sensitive data perimeters are extended outside their corporate premises. Aggregated customer data such as transactions and balances held in third-party providers’ infrastructure and servers pose a significant risk to its security that could lead to system, protocol, or network vulnerabilities.
网络安全:通过开放银行,银行的敏感数据边界被扩展到公司场所之外。聚合客户数据,如在第三方提供商的基建和服务器中保存的交易和余额,对其安全性构成重大风险,可能导致系统、协议或网络的漏洞。Fraud: As banks aim to go more digital, operations will be further managed over the web using automated processes. This creates new opportunities for fraudulent activities and demands new techniques of monitoring for fraud, although overall, AI/machine learning techniques are improving real-time fraud detection.
欺诈:随着银行的目标是更加数字化,将使用自动化流程在网络上进一步管理运营。这为欺诈活动创造了新的机会,采用新的欺诈监控技术,尽管总体而言,人工智能/机器学习技术正在改进实时欺诈侦测。-
Compromising mobile devices: Scammers disguised as outside sources and third-party vendors can trick customers or their phone companies into sharing/resetting login information. By capturing control of large volumes of devices, cybercriminals can raise their profile and increase their ability to either attack devices directly or use them to launch distributed denial-of-service (DDoS) campaigns.
越狱过的移动设备:诈骗者伪装成外部来源和第三方供应商以欺骗客户或他们的电话公司来分享/重置登录信息。通过捕获对大量设备的控制,网络犯罪分子织起图谱,增加他们直接攻击设备或使用它们启动分布式拒绝服务攻击(DDoS)的能力。
(注:Compromising指的是移动设备被越狱(iOS)或Root(Android)过)
image.png
Risk Mitigation
风险对策
Strong security frameworks
强大安全框架
Thorough risk assessment including the identification, classification, and evaluation of processes and assets.
彻底的风险评估,包括识别、分类、流程和资产的评估。Monitoring of the integrity of data and systems, as well as employees and third party staff.
监控系统和数据的完整性以及雇员和第三方员工。Independent testing of security measures.
安全措施的独立评测。Support for the evolution of more robust, open API security standards. Adhere to the “strong customer authentication” practices (mandated for continental banks as of late 2019) by the European Banking Authority.
支持开放API安全标准更强大的发展。欧洲银行管理局坚持“强客户身份认证”做法(2019年末强制欧洲大陆银行执行)。
Use transaction risk analysis
使用交易风险分析
- Transaction risk analysis can be used to detect abnormal behavior in requests originating from third-party providers, identify suspicious transactions from those TPPs, and detect atypical sequences of API calls, all in real time.
交易风险分析可用于侦测源自第三方提供商请求中的异常行为,从这些第三方提供商中识别可疑交易,以及侦测API调用的非典型结果,所有这些都是实时进行的。
Request independent security audit reports from third-party providers
从第三方提供商处获取独立的安全审计报告
The European Commission has anticipated security risks under PSD2 and therefore requires PSPs and third-party providers to manage operational and security risks relating to the financial services they provide.
欧盟委员会已预见到PSD2下的安全风险,因此要求支付服务提供商和第三方提供商,管理其提供的金融服务相关的运营和安全风险。Banks should request that third-party providers provide independent security testing reports in order to verify the maturity of their security practices.
银行应要求第三方提供商提供独立的安全检测报告,以证明其安全实践的完备。
Choose the right authentication models
选择正确的身份验证模式
Authentication should combine at least two out of three from among: something the customers’ know (e.g., a password), something they have (a phone app or ID token), and something they embody in terms of biometrics.
身份验证应至少结合这三个中的两个要素:只有客户知道的信息(例如,密码),只有客户拥有的东西(移动应用或ID令牌),以及客户的生物识别特征。Using a model that places the authentication process with the bank itself instead of third-party providers will be beneficial for banks.
使用将身份验证过程放在银行本身的模式,而不是放在第三方提供商的模式,对银行有益。
Protect the communication channel with third-party providers
保护与第三方提供商的通信
- Banks must protect data exchange with their third-party providers, for example, through mutual authentication between a bank and TPP using SSL/TSL protocols and by separating the channels on which financial transaction and authentication information is transmitted.
银行必须保护与第三方提供商的数据交换,例如,通过银行和第三方供应商之间使用SSL / TSL协议进行相互认证,以及分离传输金融交易和认证信息的渠道。
In the event that any financial company or third-party provider suffers a data breach due to an Open Banking approach, the entire initiative could take three steps backward in terms of trust and consumer adoption.
如果有任何金融公司或第三方提供商因开放银行方式而遭受数据泄露,那么整个举措在信任和消费者接纳方面的进程一夜回到解放前。
(注:one step backward 是倒退,three steps backward 指大幅度倒退 )