Firms must manage third-party risks to fully engage with open banking technology

In a new blog, the international Governance, Risk, Audit and Compliance (GRAC) solution provider said financial services firms need to manage third party risks, such as potential process risks, technology risks and data risks, including security or cyber security breaches, in order to fully utilize the new technology which was created to make customer data flow between firms and third parties via APIs much easier.

According to RiskBusiness, there are 4.5 million regular users of open banking, 3.9 of which are consumers and 600,000 small businesses.

The popularity of open banking in recent years has been rapidly growing, with a 60 per cent increase in users (2.8 million in December 2020) and one million new regular or active users being added every six months.

RiskBusiness said because some of the fintechs involved in developing open banking solutions are start-ups, they may not operate to the same compliance requirements as regulated firms.

“Truly managing these risks will require the efforts of individual firms, of course. However, it also seems obvious that the network ecosystem nature of open banking demands a network ecosystem approach to managing these risks, which is probably best coordinated by the [Open Banking Implementation Entity] OBIE itself,” the blog read.

“The banks engaged with open banking may need to take action. Furthermore, three major banks, including most recently HSBC in April 2022 have been subjected to regulatory warnings for failing to fully comply with the open banking requirements.

“So, financial firms should seek to actively manage the risks associated with open banking – while not being blind to the opportunities this new technology creates.”

RiskBusiness’ comments come just days after it was revealed that AFS licensee RI Advice was found to have breached its licence obligations by the Federal Court, who ruled that the group did not act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.

According to ASIC, a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.

Shortly after the decision, CEO and founder of cyber security provider, StickmanCyber, Ajay Unni, said “businesses must learn” from the landmark decision.

"With a rise in complexity and frequency of cyber threats, it isn’t a question of if your business will fall prey to a cyber attack, it is more a question of when an attack will occur,” Mr Unni said.

“Businesses, regardless of their size, type, and industry, need to enhance their cyber resilience.”

Neil Griffiths

Neil is the Deputy Editor of the wealth titles, including ifa and InvestorDaily.

Neil is also the host of the ifa show podcast.