Open banking was unveiled to increase competition in financial services and enable third-party providers to offer valuable new services to consumers and business customers alike. But access to the opportunities open banking can offer hinges exclusively on customers consenting to share personal information with a wider number of companies. This fundamentally alters the relationship between account providers and their customers, and introduces new service providers, providing criminals with new opportunities.
As ever, fraudsters are fast, inventive and quick to exploit any new opportunities. In this instance, the criminals’ intent is to subvert the systems to get control of bank accounts, siphon off funds, or redirect payments. Open banking initiatives generally have good provisions for establishing trust and securing connections between the account provider and the service provider. As a result, criminals are therefore obliged to focus on other components.
Here are five approaches criminals may opt to take:
- Masquerade as a service provider
Criminals may set up a website pretending to be a service provider, either a fictitious one or a cloned impersonation of a genuine site. Tasty incentives such as cash-back, rewards or discounts could be used to tempt customers to the services they pretend to offer. But when the consumer provides personal data and authorization credentials, the bogus service provider captures the information and uses it to commit an account takeover.
- Use a service provider to facilitate money laundering
Money mule networks gain faster traction in countries offering instant payments, as these help move and layer-in funds far faster than law enforcement can track. Tactics to evade detection often include sending money through previously used payees. In many cases these account holders are directed by a so-called “mule herder”. By using open banking, the mule herder can take more direct control by linking accounts through service providers. Any authentication challenges can either be redirected to, or sent directly to, the mule herder to facilitate transactions. In more sophisticated crimes, the mule herder may even simply be an automated piece of software.
- Set up a money laundering service provider
Most service providers are required to complete due diligence in the shape of anti-money laundering (AML) checks. But criminals can set up a seemingly valid service provider that carries out fake regulatory and / or authorisation checks. In this way, money laundering checks can be avoided for those accounts that are in control of a criminal organisation.
- Set up a data extraction service
Most frauds rely on the capture of customer information. By creating a bogus service provider, which analyses account data and provides results to customers, criminals can extract personal and financial information for use in other criminal operations.
- Attack service providers instead of account providers
Customers’ financial data could be held outside the account provider and be in the hands of a service provider. In many instances, service providers will have fewer resources to protect and maintain the security of their systems, making them a more attractive target than the actual account providers.
Open Banking Makes Behavioral Profiling More Important
All these cases require a fair amount of time and effort to set up. But they also highlight the steps fraudsters are prepared to take. Account providers must still take primary responsibility for fraud prevention and anti-money laundering, but they’re also obliged to be ever-more vigilant to suspicious activity taking place on their customer accounts.
Open Banking complicates matters as it blurs the relationship between the account provider and their customers, as new service providers now own more of the customer-facing interactions. Information made available to account providers to help make informed fraud prevention and AML decisions are often altered, with open banking transactions often containing information that may not have been previously seen within the payments’ ecosystem.
Account providers cannot respond by increasing security for those customers who use third-party providers. Clearly, it would also be anti-competitive to impose extra impediments on customers serviced in this way, as the additional checks aren’t applied to consumers continuing to access their accounts directly. It means techniques like behavioral profiling become far more important in fighting fraud that results from account providers who share financial data with third parties.
As open banking initiatives gain momentum, account providers must ensure their fraud platforms are fully fit for purpose. These platforms must give providers the flexibility to build and deploy AI and machine learning analytics that rapidly adapt to changes in behavior by legitimate customers, while spotting and blocking criminals.
To find out more about the impacts of open banking on fraud and financial crime read Open Banking: Will it Increase Fraud and Financial Crime?