Interview with Bronwyn Boyle, Head of Security & Counter-Fraud at Open Banking Implementation Entity (OBIE)

Following a market investigation into retail banking by the Competitions and Markets Authority (CMA) in 2016, it was discovered that there was not nearly enough healthy competition in this sector. One of the remedies designed to ‘make banks work harder for their customers’, was the creation of the Open Banking Implementation Entity (OBIE), which was given the mandate of establishing the software standards and industry guidelines for open banking in the UK.

It wasn’t until 2019, however, that European legislation (specifically the Payment Services Directive 2) made open banking a regulatory requirement, whereby a customer could consent for their current account information to be securely shared with FCA-regulated third party providers (TPPs). The ability to have greater control over their financial information is not only potentially better for consumers and small to medium businesses but supports the emerging market of new third party products and services. To put it mildly, open banking is a game changer for the banking industry, and it has blown the opaque traditions and monopolisation of the big high street banks wide open.

We talked to Bronwyn Boyle, Head of Security & Counter-Fraud at OBIE, to find out how the paradigm shift that is open banking is being received and taken up just two years on, and why they have partnered up with IASME to create the innovative new Counter Fraud Fundamentals certification scheme aimed at the financial services world.

Two years on from launching open banking, can you tell us a little bit about that journey and where you are now?
Our job was to set up a robust framework for open banking that all parties understand and accept – that has not been a simple task given the range of interested parties involved and there is still some work to do before adoption is widespread and our mandate is complete.
We have developed an Open Banking Standard and a Roadmap approved by the CMA, which ensure innovation and collaboration in the sector and which are internationally recognised. This framework allows all parties, from start-up app developers to long-established high street banks, the same opportunity to create innovative products for their customers.

You have recently celebrated reaching the target of over 2 million users. This means that 2 million individuals and small businesses now access their financial data via open banking enabled applications. What is the messaging needed to reach out to bring on board the next million users?
We are actually closer to 3 million now! We recently announced that we have reached over 2.5million. So, as you can see – things are moving quite quickly. According to our data, we are actually adding close to 1,000,000 new users every six months. This rapid growth demonstrates that if you give people the tools to safely and securely look after their data, or take control of their data, then that’s what they’re going to do.

Open banking is the very definition of an “under the bonnet” technology, so there is no reason that customers should be aware of it to use it, even if it transforms the way they manage their finances. However, more must be done to educate businesses formally about the benefits that open banking can provide for SMEs and the robust measures that have been put in place to guarantee data privacy. We’re always exploring new methods and mechanisms for us to promote customer confidence and trust in open banking.
Fundamentally, in order to grow to the next million, we need fintechs to continue what they’re doing – creating, innovating and using open banking technology to provide great new products that enable their customers to interact with their financial data in new and safe ways.

There are currently 350 (and the list is growing) regulated providers that are enrolled with open banking. Can you give us some examples about what that group represents and spans?
There are scores of great products that are delivering for customers right now – many of them can be seen on the Open Banking App Store. If you are a business owner, there are products out there to help you with accountancy, debt management, lending, cash flow, e-commerce payments, financial management (such as invoicing or payslips), and even consent management and identity verification. For individual consumers like you and me, there are apps and products to help you with debt advice, investment, mortgages, lending, charitable giving, credit, price comparison and much more.

Open banking was created in direct response to the Competition and Markets Authority order to create more healthy competition in the retail banking sector. Is it true to suggest that the diversity and choice now offered to consumers brings with it some increased risk?
As with any technology, there are of course legitimate concerns. However, we have worked incredibly hard to minimise these. It’s important to note that open banking itself does not introduce new attack vectors – the risks are similar to existing concerns with online and mobile payment channels. That said, consumers should still remain vigilant and follow industry fraud awareness advice.
Security is at the heart of open banking and OBIE has worked together with the OpenID Foundation (OIDF) to define a security profile (the FAPI profile) which provides the best possible protection for these open APIs. Specifically, the OBIE standard is based on a key principle that customers using open banking services will never have to share their online or mobile banking credentials (e.g. username or password) with any third party
OBIE also regularly reviews and shares good practice with all open banking participants and has established working groups to support cross-ecosystem collaboration on security and fraud.
The main point is that products and services enabled via open banking are increasingly representing a new wave in financial services, designed to meet evolving customer needs. This is particularly relevant at the moment, when many customers are under increasing financial pressure owing to the COVID-19 crisis.

The recently launched counter fraud self-assessment tool and certification (created in partnership with IASME) will attempt to level the playing field, regarding assurance to customers, for every type of provider no matter their maturity or size. Can you tell me more about what the counter fraud fundamentals cover/include?
This new certification tool is a key step towards consumers and businesses feeling at ease with emerging technologies – such as open banking – which allow them to take charge of their finances in a safe and secure way. We are delighted to be partnering with IASME to bring this scheme to businesses across the financial services sector.
This tool allows SMEs and consumers to feel safe and secure and also drives education and implementation of the most important counter fraud controls that all companies in this sector should have in place.
The new certification scheme will help protect and prepare a wide range of organisations. It looks at key controls across the fraud risk lifecycle such as governance, prevention and detection, and aims to help provide customers and those within the supply chain with the assurance that certified companies have the most important counter fraud measures in place.

How was OBIE involved in developing the counter fraud self-assessment tool and certification? Is it your hope that the counter fraud certification will help clarify and solidify best practice standards?
We’re constantly looking for opportunities to help improve consumer trust in open banking, including options to improve management of customer consent, enhanced signposting for customer complaints and redress, and improved security and fraud good practice guidance for third party providers.
So, we initiated the proposal to work closely in partnership with IASME to develop and deliver the scheme. We helped IASME convene and consult with experts in the industry and with the intended end user organisations to shape and help ensure that the certification assessment questions covered the necessary fraud risk controls.
As OBIE is on the forefront of implementing new technologies within the payments and wider financial industry, it was a natural fit for us to work closely with IASME to ensure that every base to protect the consumer is covered.
We are very much of the opinion that innovation and regulation should work hand in hand and are constantly looking for opportunities to help improve consumer trust in open banking and regulated technologies- this is an excellent step in the right direction.

Regarding the self-assessment tool and counter fraud certification, is there a future beyond open banking and do you see the certification or tool being able to reach new sectors?
Speaking primarily from a UK perspective, I think there’s a great opportunity to use the lessons learnt from establishing the open banking framework as part of our transition to open finance.
This certification tool is certainly one of those building blocks that we should look to incorporating in other sectors as we transition to open finance. While the scheme is currently aimed at those within the financial services sector such as banks and innovative third-party payment service providers, it could expand further in the future to enable other relevant sectors to take part and benefit from. This is something we are keen to explore with stakeholders from these sectors.