Security And Market Adoption Of Open Banking

by Garri Galanter

Share this post

There have been lots of discussions recently surrounding open banking. It’s bringing innovation to the financial world by opening up access to bank accounts.

Yet, the technology is still in its infancy, and, being the CEO of an open banking company, I’ve found there are myths related to open banking’s security that affect market acceptance. I want to address these two topics—myths and market acceptance—to provide a better understanding of their correlation.

To do so, we’ll start by analyzing the revised Payment Services Directive, known as “PSD2,” in Europe, the birthplace of open banking.

Understanding PSD2

The primary mission of PSD2, among others, is to increase competitiveness in financial services. It does this by opening the door to new financial technology players, such as account information providers and payment initiation service providers, known together as third-party payment providers, while also enhancing customers’ security against fraud. PSD2 approached the security matter through the customer authentication process and the channel of communication or exchange of information between the third-party provider and the bank.

1. The Customer Authentication Process

With regard to the first element that ensures security, the European Banking Authority drafted regulatory technical standards for strong customer authentication in 2016. As specified by PSD2, strong authentication must rely on at least two key elements that are independent of one another. This is to ensure the disclosure or theft of one authentication element does not affect the overall security.

Based on the EBA’s response to a call for advice on the PSD2 review in 2022, the EBA was of the view that the security requirements introduced in PSD2, particularly strong customer authentication, “are having the desired effect of reducing fraud.” The EBA also stated that it did not identify a “need to bring into the scope of application of SCA additional types of transactions,” though it did recommend certain clarifications on how SCA is applied. Hence, I believe it is safe to say the EBA didn’t see any noticeable risks with the current SCA mechanism, and thus SCA remains largely unchanged under PSD3.

2. The Channel Of Communication

As for the second element of security mitigation, the communication channel between third-party providers and banks, PSD2 paved the way for regulated application programming interfaces. The interface must allow third-party providers to identify themselves with banks when requesting access to accounts. This outcome establishes requirements and responsibilities that prevent third-party providers from using expired certificates, or not having them at all when fetching data or transmitting a payment order.

Banks need to integrate efficient verifiers to prevent access to unauthorized third-party providers. The idea is that if financial institutions and the new third-party service providers are implementing the technology following the requirements enforced by open banking directives, then there is no space for security breaches.

Addressing Fraud

With security covered on a technical level, let’s now address potential fraud. Indeed, due to the large volume of “accessible” data, fraudsters might be tempted to act via fraudulent apps and steal data. Yet, certain types of fraud don’t depend on the payment method but on the inattentiveness of the consumer. An example is authorized push payment fraud, which mixes social engineering and trust from victims.

Here, we must ask ourselves: Is this an issue within open banking technology, or is it a matter of improper use? Due to a revolutionary change in data ownership, final users are placed in the driver’s seat, granting them the control and authority to decide who can access their data. And here comes the need to inform and educate people both about the tools they gain via open banking and how to properly use them. As open banking usage is often correlated with security concerns, it’s not a coincidence we’ve discussed them first.

Encouraging Adoption

Next, let’s talk about open banking adoption. Open Banking Limited’s Open Banking Impact Report (download required) from March 2023 on UK usage shows that small businesses have adopted open banking at a rate of 16%, compared to consumers who adopted it at about 10%. Also, in 2022, there were 68 million open banking payments. Certainly, the number feels pretty high, but compared to the total number of debit and credit card payments (23 billion and 4.1 billion) issued in the UK for the same period, open banking payments represented only around 0.25%.

The industry trend I’ve observed is that open banking is currently pushed and promoted primarily by third-party providers and businesses seeking to leverage the technology for new use cases or improvements on existing ones. However, to encourage open banking adoption, all other players in the equation need to step up as well.

For example, I believe governments and national authorities will need to enforce regulatory requirements. The Financial Data Access framework is a legislative proposal for governing access to financial data. Banks must be financially motivated as well because conformity just for its sake is not a win-win scenario. Also, merchants might consider offering discounts or loyalty programs to motivate their buyers to pay via open banking.

But, more importantly, end users need to be informed about open banking and best practices for data-sharing. Company leaders in the open banking space should use clear language and deliver educational content through various channels, such as blogs, videos, podcasts, webinars, infographics and FAQs, while considering the diverse needs of different customers.

Building trust in open banking is an essential step toward achieving widespread adoption as well. Companies can share real-life examples, such as case studies and testimonials. These are powerful ways to showcase the benefits of open banking and building trust with customers. Companies can track website traffic, content views and feedback, as well as gather customer qualitative data, to consistently improve their efforts.

An educated user base is crucial for maintaining a secure environment. I believe that the combination of open banking technology built according to strict requirements, a clear vision of how all the involved parties can benefit from open banking and efforts to inform the market will aid the adoption of open banking.

Article by Salt Edge

More To Explore


Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?