Open Banking & PSD2 risks

What do I think about Open Banking initiative?

Open Banking & PSD2 risks

In 2015 the European Commission adopted the revisions to the Payment Services Directive. The revisions had to take into account new types of payment services, including Regulation on interchange fees for card-based payment transactions (the Interchange Fee Regulation).

The main PSD2 objectives are:

  • Make European payments market more efficient and integrated;
  • Improve the overall level of service provides;
  • Stimulate innovation;
  • Improve competition;
  • Make payments more secure;
  • Protect the customers.

A year later, CMA (a government department in the UK) issued a resolution that required the nine biggest UK banks to allow licensed startups to access the users’ data directly down to the level of transactions. Open Banking API basically unifies the financial data (transactions, payments, information about accounts, etc.).

It’s out of the question that FinTech projects need such data. It’s hard to imagine a RoboAdvisor that makes the user to manually input their personal data including information about all the portfolios and accounts. Recently, even a few banking data aggregators appeared (e.g., Quovo) that provide access to this data via the unified API.

Even more recent, are fresh-new startups that provide the same services in Europe. During the last year WebSummit in Portugal, I got to know a few UK- and Switzerland-oriented projects.

Open Banking and related products open a brave new world for new businesses. And the idea that one’s financial data should belong to the person, not the companies, is very inspiring: everyone should have the right to handle it themselves.

Still, the initiative does have drawbacks and can lead to most drastic consequences.

I think security is one of the most significant dangers of the open data. What do I consider to be the biggest challenges?

1. No one cares about safety until it’s too late

Let’s face it: we don’t mind safety. We don’t set complicated passwords, don’t encrypt our disks, and entrust shady cloud services with sensitive data. We type in the passwords not caring about anyone seeing them.

In two conferences (one for software developers, another for FinTech representatives) I had lots of opportunities to record the process of typing in passwords for laptops, mailboxes, different services, etc.

If the users do not care much about securing even the basics, I highly doubt they make efforts to protect more sensitive data.

As a result, the users will most probably lose their financial data if they get access to it.

My keynote from Symfony London 2017 about the Security

2. Level of safety in startups leaves much to be desired

Typical startup office (<a href="">source</a>)
Typical startup office (source)

Many startups hardly pay any attention to safety. I mean, startup employees are no more cautious here than average users. In contrast to banks that have been guarding their clientele for ages (centuries even), startups have no such culture.

Safety policies often become a mere formality or are even unheard of. Startups solve the problems as they occur, and this just does not work in the case with financial data. Also, startup projects often employ newbies or just people with little experience, and they still get access to sensitive user data. As a result, these employees become the primary vulnerability of the project.

Conference speeches and landing pages often shout about extreme safety of another startup. Judging from my experience, this, unfortunately, is hardly ever the truth.

All this results in the safety level in startups being much lower than the safety level in big companies and financial institutions. As startups are not used to thinking of safety as an essential constituent of FinTech business, entrusting a startup with your data means most probably losing it.

3. Users won’t control their data

One of the initial ideas was to let the user handle their data. But how can this be implemented?

Everyone remembers the recent Instagram scandal when they wanted to assume the author’s rights for user-uploaded pictures. In fact, most of us don’t read user agreements and voluntarily provide the companies with a lot of data while we don’t even suspect that.

So what, you may ask. What’s wrong with someone knowing my data?

“Phrack” magazine about social engineering
“Phrack” magazine about social engineering

Such information provides endless opportunities for social engineering. Having the link to your Facebook page, knowledge of your worldviews, and access to your financial data obtained via PSD2, anyone can make you a proposal you won’t be able to say no to. At best, it will be an attempt to sell something to you. At worst — to rob you.

As a result, despite the noble idea of the user controlling their data, the actual picture is dark and full of terrors, and the amount of social engineering-based frauds and bankruptcies may grow exponentially.

A presentation by Accenture about PSD2’ risks


I am not trying to say that Open Banking or PSD2 are inherently bad. On the contrary, they are quite timely.

What they lack is a certain amount of safety considerations. The approach should focus on helping a user uphold their right to confidentiality, not in assisting them lose their data.

We need bigger solutions and higher standards. Off the top of my head, encryption of all transferred data with a key with user-only access, forbidding any companies to store this data publicly (similar to PayPal/Stripe requirement not to store the credit card info on the service side).

We need something besides PSD2 that will protect the user from both, transnational banks (you have no chance to sue them) and new startups (they have no money to sue them for).

Evgeny Smirnov: personal website © 2019 — 2022.