The chain of data protection – keeping the most sensitive information out of the hands of hackers and other bad actors – is only as strong as its weakest link.
In the age of open banking, where data access can be broad indeed – where consumers grant permission, and traditional financial institutions (FIs) give access to all sorts of data to innovate FinTechs – we’re just seeing glimmers of who’s liable, where and when.
To that end, as reported over the weekend, millions of pounds were stolen from Barclays accounts. The heist occurred as a series of coordinated phishing attempts by a fraudster using a Monzo account and a payments initiation service provider (PISP). The PISP links customers’ bank accounts (in this case, accounts with Barclays) to various companies, allowing payments to be made directly without using cards.
Read more: Barclays Hit in Phishing Scam Using Monzo Account, PISP
In a statement, a Barclays spokesperson noted that “there is nothing new or different about a fraudster’s approach to these cases that are specific to using a PISP. It is the same type of social engineering to convince victims to share passcodes/Pinsentry codes and to use those codes in pursuit of their schemes.”
Therein lies a bit of food for thought: If the hackers are using tried-and-true methods to get what they want, and the only thing that’s changing is that there’s more data than ever for them to use to steal money out of unsuspecting victims’ accounts, regulatory bodies are likely to (and should) take a fresher look at the “porousness” in those FinTechs’ and PISPs’ operations. After all, the data are housed with banks, and banks are trusted places for customers to share their information. Instead of directly trying to breach banks’ defenses, there’s a way to get to the accounts (and the money) by using FinTechs and service providers.
Monzo seems to be in some regulatory crosshairs. An antitrust probe in the United Kingdom by the Financial Conduct Authority (FCA) said that Monzo had been in violation of financial crime controls and anti-money laundering (AML) mandates.
Related news: Monzo Faces FCA Investigation Into Alleged AML Contraventions
As reported by CNBC on Monday (Oct. 4), Monzo has withdrawn its application for a U.S. banking license, a decision that was not explicitly tied to any data privacy concerns. The company said that while the withdrawal “isn’t the outcome we initially set out to achieve, this allows us to build and scale our early-stage product offer in the U.S. through existing partners and to invest further in the U.K.”
The Biden administration is pushing for more data portability, but the rules governing that portability will likely be stringent. The U.K. may be in for some data regulation overhauls itself – the Open Banking Implementation Entity, which oversees data sharing between banks, FinTechs and third-party service providers, has been found to be lacking in internal governance.
Learn more: CMA Finds Open Banking Entity Failed to Stop Intimidation, Conflicts of Interest
In a late-summer interview with PYMNTS, MX Chief Advocacy Officer Jane Barratt told Karen Webster that the ultimate answers on liability would be crafted by frameworks that involve discussions and input from all parties — FinTechs, FIs and consumers. The liability would shift at least partially from banks (where it currently resides) to other parties.