The role of IAM in OpenBanking and where do we stand
Download as PPTX, PDF0 likes854 views
The document discusses the role of Identity and Access Management (IAM) in open banking, highlighting the need for security and compliance through PSD2 directives in the European financial market. It emphasizes the importance of strong customer authentication, consent management, and the impact on transaction costs and security for banks and consumers. Additionally, it outlines the current status of open banking initiatives in Sri Lanka and their alignment with global standards.
The role of IAM in OpenBanking and where do we stand
- 1. The Role of IAM in Open Banking & Where Do We Stand? Colombo IAM User Group - 2nd Meetup Pushpalanka Jayawardhana Financial Solutions Team - WSO2
- 2. “Banking is necessary; banks are not” - (Bill Gates, 1990)
- 3. International Financial Industry Concerns ➢Contribute to a more integrated and efficient European payments market ➢Improve the level playing field for PSPs (including new players) ➢Make payments safer and more secure ➢Online shopping without a credit card ➢Better protection against fraud ➢Help lower charges for consumers on card payments
- 4. Ref : https://www.pcisecuritystandards.org/pdfs/webinar_100519pci_pts_3.0.pdf Payment Card Industry Security Standards For protection of cardholder payment data,
- 5. Payment Services Directive 2 EU Directive that applies to all Banks operating in the EU that regulates payment services throughout the EU, with a compliance deadline of January 2018
- 6. Open Banking 1 : Possible central view Banks expose their customer payment and account data, with customer consent, to Third party Payment Providers (TPPs) via APIs. TPP PISP/AISP Bank A Bank B Bank C Merchant Now PSD2 Bank A Bank B Bank C Merchant
- 7. Open Banking 2 : No Involvement of Card Network 7 ➢ Less hops ➢ Lower fees for transactions ➢ Easy to track the path
- 8. Aggregated View of Accounts (AISP Flow)
- 9. Payment Flow (PISP) Credits to Dinosoft Labs from Noun Project Checkout Item Login Page 2 Factor Authentication Customer Consent Initiation payment info 1 2 3 4 PISP 302 5 Token 6 Payment Complete 7 Settlement
- 10. PSD2 Compliance Requirements ➢ API Specification ○ API Definitions ○ Secured API invocation ○ API Usage Monitoring ➢ Strong Customer Authentication ○ 2 Factor Authentication (SMSOTP, FIDO, Duo, MePin) ○ Adaptive Authentication ○ Consent Management ➢ Incident Reporting ○ Security Incident Reporting [Transactions affected,server downtime, Economic
- 11. Strong Customer Authentication Ref : https://cdn-images-1.medium.com/max/1200/1*cqJ3MUF-vOG9IVTLOOQQTQ.gif
- 12. Ref : Accenture Payment Services & Accenture Technology Advisory, PSD2 & Open Banking Security and Fraud Impacts on Banks Strong Customer Authentication Ctd..
- 13. Adaptive Authentication ➢ Authentication flow is defined by risk level ➢ PSD2 define several exemptions for SCA applications ○ Not to kill user experience for small transactions and bulk transactions ➢ Security level can be decided based on, ○ The amount of transaction ○ Time elapsed from previous SCA ○ Transaction patterns on user ○ Role of user - Cooperate or private
- 14. Consent Management ➢ Defined by PSD2 RTS on SCA and secure communication and GDPR ➢ Safeguard right of the user on personal data to, ○ be informed - Inform user of personal data collection ○ access - Validate information processing at any time ○ rectification - When user feels data is incomplete or accurate ○ restrict data processing - Just store, don’t process ○ data portability - Transfer data to another party ○ forgotten - Request removal of personal data ○ be notified on a data breach - Report to user within 72 hours
- 16. Technology Requirements “Draft Regulatory Technical Standards, explicitly mentions to be based on known standards” ● User authentication (with SSO) ○ SAML 2.0 ○ OpenID Connect ● Access delegation - OAuth 2.0 ● Fine grained authorization - XACML ● Multifactor authentication - SMSOTP, FIDO, DUO, MePin 16
- 17. Ref : https://www.abe-eba.eu/downloads/knowledge-and-research/EBA_May2016_eAPWG_Understanding_the_business_relevance_of_Open_APIs_and_Open_Banking_for_banks.pdf Other Standards ISO 27001 - for information security management systems ISO20022 - remove ambiguity in messages relevant to payments, securities, FX, Trade services & Cards
- 18. Inside Story - Open Banking
- 20. Open Banking: The opportunities Bank A Bank B Bank C Merchant Bank A Consolidated customer account and payment info across multiple Banks TPPTPP
- 21. App Development
- 22. Ref : Deutsche Bank Global Transaction Banking - Payment Services Directive 2 1. One-leg Out – in EEA currency: EEA currency sent from the EEA to a non-EEA country e.g. EUR payment from France to Sri Lanka 1. One-leg Out – in non-EEA currency: Non-EEA currency sent from the EEA to a non-EEA country e.g. LKR payment from UK to Sri Lanka 1. One-leg in – in EEA currency: EEA currency payment sent from a non-EEA country to an EEA country e.g. EUR payment from Sri Lanka to France 1. One-leg in – in non-EEA currency: Non-EEA currency sent from a non-EEA country to an EEA country e.g. LKR payment from Sri Lanka to UK PSD2 Impact on Us
- 23. Banking Industry in Sri Lanka ➢ Sri Lanka Interbank Payment System (SLIPS) ○ Same day electronic fund transfer ○ Established in 2010, being first in South Asia ➢ LankaPay Common Electronic Fund Transfer Switch (CEFTS) ○ For real-time payments ○ Initiated in 2015 ➢ JustPay - From LankaClear (pvt) Ltd ○ Applies 2FA ○ For real time retail payments under Rs. 10 000/= ○ Central Bank of Sri Lanka (CBSL) approved security standards ➢ Have already thought on AISP like applications ➢ Have the foundation of collaboration among banks in real time JustPay© - http://www.lankaclear.com/product_service/42-overview
- 24. Ref : Accenture Payment Services & Accenture Technology Advisory, PSD2 & Open Banking Security and Fraud Impacts on Banks
- 25. Monetization of applications will be made easy...
- 26. Q & A Twitter : @Pushpalanka LinkedIn : https://www.linkedin.com/in/pushpalanka/ WSO2 Open Banking : https://openbanking.wso2.com/
- 27. Thank You!
Editor's Notes
- #5: PTS DSS - PIN Transaction Security Data Security Standard
- #7: Open Banking is due to become a regulation in Australia (similar to the enforcement of PSD2 regulation in the EU). Therefore, Banks need to be able to securely expose sensitive data through APIs so that third party providers can build new applications that provide a much better user experience to multi-banked customers.
- #11: Incident Reporting Guidelines -set methodology for payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State
- #12: Upto 80% of attacks are based on stolen user credentials… One proof from ancient stories Ali baba and 40 thieves.
- #13: Behavioral factors such as walking style, typing are also considered now as another factor
- #14: Incident Reporting Guidelines -set methodology for payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State
- #15: Incident Reporting Guidelines -set methodology for payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State
- #21: Exposing APIs can seem to commoditize banks by threatening to take away the sole ownership of customer data that banks so far enjoyed exculsively. However, Banks armed with the correct vision and the technology to achieve that can reap much more benefits from this open banking world. Survey conducted in UK by Accenture showed that consumers prefer Banks to be the ones to provide the 3rd party services as well. If and when Banks can take up that role, they become a rich repository of customer data across multiple banks. They can then use that repository to… Provide better services to their customers (eg:- cashflow management across banks) Provide ‘Insight Sales’ to other businesses. (-> attract new revenue streams)
- #24: Incident Reporting Guidelines -set methodology for payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State
- #25: Core banking solution, Customer Integrated System, usually has • SWIFT terminals • ATM and POS solutions • MICR checks handler • Phone banking (IVR)