An open door to fraudsters
A massive shake-up will force banks to share YOUR financial details with ‘third parties’ But fears are growing that ‘open banking’ really means...
ANEW era of banking will be ushered in from January next year – and security experts say it could put people at greater risk of scams and identity theft. Under new ‘open banking’ rules, Britain’s biggest banks will be forced to share customer data with companies that demand it.
Providers of other ‘ payment accounts’, such as credit cards and some savings accounts, will have to do the same under separate European Union legislation.
This is part of the Second Payment Services Directive, PSD2.
Some banks have already sent letters to customers warning that ‘third parties’ can access their personal data from January, and that account terms and conditions are being changed to reflect this.
Third parties could include price comparison websites, start- ups specialising in financial technology or rival banks.
Data can only be shared with a customer’s explicit consent, which they might give if slick new online companies offer to help them budget and save more effectively. They can be reassured as the data will only be shared with third parties governed by regulator the Financial Conduct Authority.
But as the walls around banking are torn down, customers will need to put their guard up.
Security experts say cyber-criminals will seek fresh opportunities under open banking.
Hackers will turn their attention to smaller firms managing sensitive information and which have less robust security than banks. And new internet scams will surface at a time when data loss, theft and misuse is rife.
Stuart Poole- Robb, chief executive of internet security company KCS Group and a former MI6 intelligence officer, says: ‘Because open banking means more data shared, this problem is going to get worse.
‘It creates more points of failure. Either the bank is hacked and your data is compromised– or you approve it being passed to a new start-up, which is hacked and your data is compromised.’
Companies will be held accountable if data is lost or misused and banks have to pay refunds if customers dispute a payment. The technology behind open banking – Application Programming Interfaces (APIs) – is considered secure and makes data sharing possible. But no business is immune to hacking or scams. Poole-Robb says: ‘ Banks and financial technology firms cannot protect you against something they do not know about. ‘It is all very well having firewalls and encryption against known threats, but all organisations are susceptible to social engineering and unwittingly giving attackers footholds.’ If scammers use stolen data to dupe victims into handing over further sensitive information, those people are unlikely to get their money back. Individuals are also responsible for checking a website or app is legitimate. If it is a scam website, they lose protection from regulators. If it is genuine, customers have right to redress.
Customers also retain control over what information is shared, if any. Some might only agree to a third party accessing data as a oneoff. Whatever they decide, banks will have to double- check with customers first.
Providers have strong incentives to look after data, beyond protecting their brand reputation, as data protection laws become stricter from May next year.
They could be forced to pay penalties of up to €20 million (£18 million) – or 4 per cent of turnover for any sloppy practices that breach rules.
Online payments will also be subject to more rigorous checks under EU law, but these guidelines will not appear until later next year.
SCAMS TO WATCH OUT FOR PHISHING
Consumers will need to be vigilant about a new wave of ‘ phishing’ fraud. This is where cyber-crooks use confidence tricks to reel in people’s account passwords.
For example, they might imitate a high street bank in an email and suggest there are security concerns with a customer’s account.
Victims are persuaded to click on a link and verify their identity by entering account log-in details.
Criminals can use those details to access a person’s account and drain it of funds.
Banks will not refund customers who are thought to have been careless with passwords.
Nor will they help if a victim has been tricked into authorising a payment to a fraudster believing it to be the account of a genuine person or business.
New figures show this type of scam has cost more than 19,000 people £100 million in the first six months of 2017 alone. Tony Neate, of Get Safe Online, a website offering advice and support to consumers, says: ‘Security has been looked at seriously with regard to open banking but it is always a concern.
‘This is something we are going to have to look out for because there are new opportunities for criminals to apply old tricks.
‘Never give away your user name and password.’
IDENTITY THEFT
Hackers stealing data could also sell it to fraudsters, who use it to steal a customer’s identity.
Only a few details – such as name, address and date of birth – need to fall into the wrong hands to create a ripple effect of problems.
Fraudsters use the information to take out loans and credit cards in that person’s name.
Victims then see unusual transactions on their accounts, receive bills for goods they did not buy and are refused financial deals such as credit cards and loans despite previously having a good credit rating.
Clearing up a trail of problems caused by identity theft is not an easy task and can cause administrative headaches for years.
KNOW THE SIGNS OF FRAUD
A CAMPAIGN called ‘Take Five’ encourages the public to be vigilant about scams. It is run by Financial Fraud Action UK – which represents banks and financial companies.
Criminals play on fear and create
a s ense of urgency in t hei r stories to make victims act without thinking.
Typically, they claim customers’ money is at risk and advise quick action is needed to safeguard funds.
The campaign reminds people to always take a step back and think about what is being asked of them. Actions such as clicking on a link, requests to move money to a ‘safe account’ and demands for personal information should all sound alarm bells.
Find out more at takefive-stopfraud.org.uk. You can also learn more about a wide range of scams at getsafeonline.org and actionfraud.police.uk.
WHAT IS HAPPENING?
OPEN banking and the Second Payment Services Directive are the twin laws bringing change.
Banks and building societies will have to share data with third parties–if customers give permission.
Consumers might choose to share their current account history if it means saving money or budgeting more effectively. The nine largest current account providers ordered to take part in open banking are: Allied Irish Bank Group, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide Building Society, RB Sand Santander.
Comparison websites like MoneySuperMarket and GoCompare are likely to be the ones asking for access to data, as well as small start-ups specialising in financial technology.
For example Yolt, owned by ING Bank, is a money management app giving customers a view of all their accounts and credit cards in one place. It has just added digital challenger Starling Bank – a mobile-only current account provider – to its list of partners.
HSBC and its subsidiary online bank First Direct are already testing out new apps that give customers a broad view of all accounts – even from rivals.
WHAT WILL IT LOOK LIKE?
CUSTOMERS can see multiple accounts in one place using just one phone app.
Within that same app customers might be able to compare deals across the whole of the market based on their personal history of income and spending.
Customers could t hen switch products and transfer money while borrowers should quickly f i nd providers prepared to lend to them.
Imran Gulamhuseinwala, of the Open Banking I mplementation Entity, in charge of delivering the initiative, says: ‘Open Banking has potential to change retail banking forever. We will for the first time put customers in control of their data, privacy and finances.’
Debit and credit cards could also be made redundant in online shopping as part of law changes which let shoppers pay a retailer directly from their bank account.
Tech savvy customers are likely to be winners from the reforms – while the digitally shy face having to adapt or risk being left behind. Losers might also be those excluded from the best deals if the technology assesses them to be an unprofitable bet.
WHY IS REFORM NECESSARY?
DRASTIC action is needed to challenge the complacency of banks.
That was the conclusion of a report published last year by regulator the Competition and Markets Authority.
Few current accounts are switched – less than 2 per cent a year. Such apathy means many customers get a poor deal.
Overdraft users could benefit most from easier switching – saving £180 a year each i f nudged towards cheaper accounts.