In our earlier articles, we provided an update from The Berlin Group announcing that they will be commencing work on a full Open Finance API Framework. As Open Finance is the next step in the Open Banking journey, we look at how this acceleration could reshape the financial services ecosystem, revolutionizing the way financial service providers operate and the significant benefits of big and wide data.
Customer Data Unbounded
Personal finances do not begin and end with a customer’s bank account(s) where there is only a one-dimensional view of finances. However, banks hold a record of what the customer spends, saves, and borrows. This ranges from the average spend on luxuries, fuel, savings, memberships, utilities, where they travel, what stores are frequented, times of expenditure, geographical data, and the ability to see what times the customer is more active towards online spending, as well as periods of non-financial activity.
Open financial data, brought about by a mix of government law and market regulations, allows a growing range of financial and non-financial actors such as financial markets, online marketplaces, lending companies, and of course, banks. All of these sectors have a requirement to access client accounts and data (with explicit customer consent) in order to provide new goods and services.
Suddenly, what we now have should be considered as two-dimensional.
Data is Critical to Understanding your Customers more than ever before
Each financial transaction carried out by the customer generates rich and current data which was once limited to the customer’s bank.
Data access is fundamental to Open Finance. This encompasses data sources as well as how data is collected, disseminated, and formatted. Data must be accurate in order to produce applications that provide helpful services, educated suggestions, and insights that users will trust.
With these new Open Finance data sources, rich and up-to-date data can be sourced. And in turn, businesses need to ensure that they have the right aggregation and analytical tools in place that are capable of connecting contrasting datasets with customer-mapped data aggregation. This process then amounts to being able to provide financial products and services that are automated, scaled and verified.
Brokers, investment advisers, lenders and insurance businesses will all profit from Open Finance’s cost benefits as well as the flexibility to engage in the ecosystem while competing with start-ups. Insurance companies are likely to benefit the most because suddenly, they have more access to data and will be able to make enhanced and well-informed underwriting decisions.
Confidentiality of Data, privacy of Data Subjects & Big Data Security
Data in transit, or data in motion, is data moving from one location to another such as across the internet or through a private network. Compromises to confidentiality can be detrimental. Confidentiality covers the protection of data at rest, transit, and use. The challenges with protecting data in use are exacerbated by big data because, unlike conventional data:
- Big data processing strongly depends on shared computing environments at various locations
- Big data is continuously processed (not only when the machine and program are switched on)
- Big data has more longevity - constantly evolving and resurrected.
Data sharing in any capacity should be given top priority, with each dataset’s value given an appropriate level of protection, as well as the requirement for customers to understand how and why certain data is used.
The ‘three states of data’ as explained above require a data protection solution that must offer data encryption, data access control, key management and certificate management.
Vast amounts of digital data. Data collected from a multitude of sources - big & wide - raw, unstructured and abundant with business intelligence.
With big data comes various obstacles - complexity and risks to privacy. ‘Big data security’ is critical, which means guarding data and analytics processes from risks and threats that might jeopardize security.
Utimaco’s SecurityServer provides secure authentication, data integrity and encryption for protecting sensitive and security-critical assets.
Open Data - Trust & Control
So, why should financial institutions build APIs and partner with fintechs to share their customer’s data? Modern connectivity is the answer. An Application Programming Interface (API) access needs to be built with the highest security standards that in turn, allow the customer to access and share their data in a safe and secure way. This provides the customer with enhanced levels of convenience, flexibility and choice in available products and services whereas, when Open Banking was first introduced, the customer showed a hesitance in sharing data. However, now, due to the convenience and cost-savings that they have experienced over the past few years, they found this proposition appealing and their willingness to share data has become more common.
Enabling data sharing and third-party access in the financial sector is critical to ensuring that all financial market participants have access to competitive and lucrative financial services and products that are tailored to their specific requirements and capabilities. As a result, governments have a role to play in building regulatory environments and governance structures that drive innovation, protect privacy and mitigate fraud.
The Directive on open data and the re-use of public sector information provides common rules for a European market for government-held data.
The Directive on open data and the re-use of public sector information, also known as the Open Data Directive, entered into force on 16 July 2019, replacing the Public Sector Information (PSI) Directive.
The Open Data Directive stipulates minimum requirements for EU member states regarding making public sector information available for re-use. This includes the publishing of dynamic data and the uptake of Application Programme Interfaces (APIs).
This changes the very concept of the global financial ecosystem and delivers what we could now say is now very much three dimensional.
Key Characteristics of an OpenFinance API Framework
The Berlin Group has provided Key Characteristics of an Open API framework. In summary:
- Modern “RESTful” API set using HTTP/1.1 with TLS 1.2 (or higher) as transport protocol
- TPP identification by ETSI-defined eIDAS certificates: QWACS mandated (easy measure to protect e.g. against DDOS attacks), QSEALS optional for banks TPP follows instruction by bank (i.e, certificates do not have to be PSD2 compliant eIDAS certificates)
- Building on all NextGenPSD2 AIS, PIS and CoF use cases
- Third Party Provider access beyond PSD2
- GDPR compliant consent model beyond PSD2
- Support of Direct Access for PSUs / Corporates
- eCommerce support
- Discovery service to obtain the specific implementation details
- Multilevel SCA/Corporate Banking support
In order to comply with the Key Characteristics of an OpenFinance API Framework, the following requirements need to be met:
Qualified Electronic Seal
A Qualified Electronic Seal (eIDAS Article 3 (27) & Section 5 (38)) (QESeal) is an advanced electronic seal which provides additional level of assurance on the identity of the creator of the seal (the legal person) and an enhanced protection and level of assurance on the seal creation;
Is based on a qualified certificate for electronic signatures
A qualified signature / seal creation device (QSigCD or QSealCD) - for example in the form of a certified hardware security module (HSM) - is required for the creation of QESeals
A compiled list of QSCDs by the European Commission can be found here
Qualified certificates for electronic signatures are provided by (public and private) providers which have been granted a qualified status by a national competent authority as indicated in the national 'trusted lists' of the EU Member State. Those lists can be accessed through the Trusted List Browser.
Qualified Website Authentication Certificate (QWAC)
A Qualified Website Authentication Certificate (QWAC) is a type of SSL/TLS Digital Certificate under the trust services defined in the eIDAS Regulation and is used to identify organizations that are in compliance with eIDAS guidelines for encrypting communications.
Qualified Signature Creation Devices (QSCD)
The qualified trust service for the management of electronic signature and seal creation devices provides significant security, uniformity, legal certainty and consumer choice benefits both linked to the certification of the qualified signature creation devices and in relation to the requirements to be met by the qualified trust service providers managing such devices. A qualified signature creation device hardware security module (HSM) is required for the creation of QESeals.
Development towards Open Finance standards is now taking place across the finance sector. This represents an important step in bringing Open Finance standards for the sharing of savings, investment and pensions data in line with Open Banking PSD2, especially with it comes to security and transparency of data and user experience.
The intensity of regulatory requirements means that each player across the Open Finance ecosystem who actively shares data, must take extra precautions when processing confidential and personal data, and even more so when processing big data.
To provide the best security and protection of eIDAS certificates and private keys, Utimaco provides Qualified Signature/ Seal Creation Device HSMs for the purpose of protecting a certificate issuing infrastructure within an Open Finance environment.
Berlin Group Open Finance (General Introduction Brochure)
The Berlin Group is a pan-European payments interoperability standards and harmonization initiative, consisting of almost 40 banks and financial service institutions from across the EU, with the primary object of defining open and common scheme- and processor-independent standards in the interbanking domain between Creditor Bank (Acquirer) and Debtor Bank (Issuer), complementing the work carried out by e.g. the European Payments Council. As such, the Berlin Group has been established as a pure technical standardization body, focusing on detailed technical and organizational requirements to achieve this primary objective.