The National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, on March 3 closed a public consultation on its Cybersecurity Considerations for Open Banking Technology and Emerging Standards report.
The internal report published by NIST explains what open banking is and highlights the importance of cybersecurity and privacy safeguards in the consumers financial data sharing ecosystem.
The authors intended to be objective, even including a disclaimer that the report does not intend to promote open banking or propose a specific application programming interface (API) that could be compatible across heterogeneous systems. However, throughout the document, NIST repeats the benefits of open banking for both financial institutions and consumers, barely mentioning the risks associated with API security and data.
In the report, NIST states the benefits of open banking in its definition, writing that open banking “ecosystems are intended to provide new choices and more information to consumers, which should allow for easier interaction with and movement of money between financial institutions and any other entity that participates in the financial ecosystem.”
The report continues that open banking “also aims to make it easier for new actors to gain access to the financial sector (e.g., smaller banks and credit unions), has the potential to reduce customers fees on transactions, and is already in use in various countries.”
The benefits continue in Section 5, as despite being labeled “Positive Outcomes and Risks,” all the points in the list — except one — are positive outcomes. The only risk, attributed to the risk of data leakage, is associated with organizations that try to “hurriedly implement open banking.”
The document also stresses the benefits of open banking to prevent fraud, adding, “Having an open platform should stimulate the means of securing financial systems, such as by enabling better methods for detecting and preventing fraud. At a much larger scale, open banking could serve as a foundation upon which measures of risk and stability can be built, thereby preventing or predicting potential weaknesses before they occur.”
While the document is very extensive on examples of other countries where open banking has been implemented, it doesn’t offer too much information about the different approaches to API and other security practices that could help in reducing fraud and cybersecurity incidents.
It also suggests that open data standards are important when considering API access, as data can be more easily aggregated with fewer errors. According to the report, “Having such common data standards would help accelerate the development of API and promote a wider adoption of such services.”
The report does not make any recommendations, except perhaps from adopting privacy frameworks, such as the NIST Privacy Framework, during the design of an open banking network.
This document cannot be considered a full endorsement of open banking, but it offers a positive view from a cybersecurity and privacy points of view. This could be relevant because the Consumer Financial Protection Bureau (CFPB) has been looking at the possibility to implement section 1033 of the Dodd-Frank Act to promulgate rules on open banking.
Read more: CFPB Lays Groundwork for Open Banking’s US Push
In October 2020, the CFPB had already announced an advance notice of proposed rulemaking soliciting comments to develop regulations to implement section 1033. More recently, in 2021, President Joe Biden urged the CFPB to promote the use of open banking.
While the CFPB hasn’t yet published any document that suggests new regulation could be issued any time soon, Director Rohit Chopra has previously talked about the benefits of open banking. This report on cybersecurity could help the CFPB build the case for new rules to data sharing.