3 Ways Banks Secure their Open Banking APIs with Gluu

Open Banking initiatives enable third parties to process financial transactions for consumers, creating new competitive offerings. Open banking is not only a cost to banks but a new revenue opportunity to launch fintech services. But open banking also presents new security challenges.  Banking regulators have introduced strict standards to ensure data is protected and that consumers have a way to manage transactions and opt-in to these new services. 

The Payment Services Directive (PSD2) in the E.U. outlines the technical and security requirements. PSD2 primarily focused on the technical characteristics of the interfaces between AISPs and PISPs and stresses certain security features to reduce fraud. This model has been copied and modified slightly for other regions in LATAM, MENA, and AsiaPac. 

The Gluu Open Banking platform provides AISPs with the application security infrastructure to meet these new technologies and security requirements.  While Gluu’s platform is not the only solution out there, Gluu’s cloud-native architecture enables banks to scale up and down capacity based on demand, resulting in both performance and cost advantages.  Gluu is also the only platform that provides both commercial and open-source binaries, enabling a range of banks and service providers to collaborate in a mutually beneficial ecosystem.

In addition to payments, open banking has also fostered a new opportunity for banks to offer consolidated account management. For example, let’s say you want to use a mobile application from the Bank of Scotland to view your account balance from NatWest. To accomplish this, the mobile application from the Bank of Scotland needed permission to access your bank balance through a consent flow at NatWest. 

The open banking initiatives in each country are driven by consumer demand for more choices and by governments’ desire to make their financial system more efficient. In turn, this provides an opportunity for startup fintech companies to work among competing banks to offer competitive lending and payment options expanding the number of services for underserved or underbanked populations.

1. Gluu enables Banks to conform with Open Banking security profiles.

Gluu’s Open Banking distribution contains just the pieces you need, will upgrade in place leveraging a cloud-native deployment and will simplify the API authentication while offering community and enterprise support to developers creating the next financial technology.  Having access to a vast developer community who can provide feedback and insights into leveraging the features, design, and the user interface is a tremendous advantage. 

The Gluu Server is certified to conform with the Financial Grade OpenID Provider profile. Called “FAPI” for short, this profile provides detailed requirements for the security features needed to perform payments. And Gluu is the only OpenID Connect Provider to be current in all OpenID Connect certifications.

2. Gluu enables banks to implement secure multi-factor authentication without passwords 

Remote banking introduces opportunities for fraud and the risk of a phishing-based man-in-the-middle attack. This has given rise to the passage of the Secure Customer Authentication (SCA) directive, mandating a second authentication factor during a payment transaction. The Payment Services Directive 2 imposed two-factor authentication when approving a transaction and further stipulated that depending on the size of the transaction or a risk threshold, banks should add a higher degree of assurance using OTP (one-time passcode) or biometric (fingerprint, touch, or facial recognition) to reduce the risk of fraud.

Gluu’s FIDO 2.0 ready authentication server allows registration of numerous compliant solutions both from physical and virtual services including biometric options that can be called into action as part of any transaction based on the risk score. Gluu’s CASA multi-factor management allows consumers to enroll and manage MFA devices and register these two-factor authenticators to their accounts. Gluu’s CASA portal ensures consumers have the choice for MFA. Banks can also rebrand Super Gluu if they wish to offer a custom MFA solution.

3. Gluu enables banks to reduce API latency 

Account information service providers (AISPs) and account servicing payment service providers (ASPSPs) need to ensure authentication and consent responses from banking APIs meet minimum response thresholds to remain competitive and provide a seamless service. Consumers are fickle and mobile banking apps must provide a simple method to approve payments for the consumer. Delays in the API transaction or the authentication can introduce security issues by allowing windows for session hijacking and man-in-the-middle attacks.

Gluu’s Open Banking profile is built to minimize latency even for complex consent flows from multiple parties. Gluu’s server has been load tested to process over 1 billion transactions a day, leveraging self-scaling cloud-native deployments and fast NoSQL / DBaaS technologies. Gluu’s authentication flows can be configured to disable authentication when abuse or a denial-of-service attack is detected.

Open Banking is both a security challenge and a business opportunity for any fintech or bank. While it presents opportunities for growth and revenue, these benefits take time in comparison to the upfront costs of modernization of technology and strict authentication standards.

By leveraging Gluu’s open banking distribution, fintech and banks can secure their application program interfaces (APIs) support with stronger MFA options for secure customer authentication (SCA) and be assured that their implementation is future-proof and robust enough to meet upcoming challenges as more players enter the market and open banking evolves.