To begin by putting things into perspective, India has more digital payment users than the US population. And where there are digital payment users, there are opportunities for banks and financial services companies to monetize the users and the data they generate. But before we get to the nitty-gritty details of third-party access, let’s first look at how the user base and the data are utilized.
- Aggregators, enablers, and affiliates alike use user data to generate customer profiles and target products and services based on their profile
- Banks themselves can use the account information data available with them to cross and up-sell loans, investment products, and services
- Non-Banking Financial Services institutions (NBFCs) can use both customer profiles and payment-related information to provide customized offers and value-added services like real-time approval of loans, EMI offers, and add-on products
The challenge here is banks now have to provide access to their systems as per the Open Banking system. At the same time, regulators want banks to isolate their core banking systems and comply with a plethora of regulations and security measures with penalties as high as ₹250 crore.
The catch-22 of access and security
Take the example of a fintech providing payment processing. They need real-time access to the payment user’s bank accounts, the balance, and the security features implemented by the bank, such as OTP-verified transactions. Likewise, retailers, travel agencies, hotels, restaurants, and aggregators for each of these services need access to the bank’s systems, too.
Applications, or Application Program Interfaces (APIs) accessing banking applications, are relatively simple to secure – after all, the API does what it is programmed to do, how it is supposed to do it, when, where, and why. This predictability of behavior allows for simplified security measures.
- Application-level security – to make sure the application or API accessing the banking application, the databases that are involved, as well as the underlying infrastructure are secure. This is both auditable and simple to track with third-party audits such as SOC and ISO27001
- The data at rest and data in motion are adequately encrypted, and there is efficient management of the cryptographic keys to make sure the lock and key are separate
- At the programming level, the applications and APIs need to be secure in the code base, and technologies are protected by adequate vulnerability management and a cohesive enterprise security posture.
Third-party vendors on the other hand, where there are human touchpoints, that is entirely a different matter and a matter of utmost importance for securing the banking applications and data.
When you consider Third-party Providers (TPPs), such as agents or resellers, for example, financial services products such as loans, there are humans involved – identities. TPP agent, in this case, applying for a loan on behalf of the end customer, needs to be able to perform binding actions on behalf of the user.
Now, we have an additional challenge of an audit trail – who accessed the application, when, from what location, and for what purpose. We need to secure external vendor access in addition to application or API-level access from apps and interfaces. This is not easy. Not unlike the challenges faced during the pandemic, where organizations scurried to enable remote work, we have similar pain points here. The bank cannot provide secure devices to third parties – it is just too expensive for the bank, yet the TPPs need access. Using complex multi-factor authentication (MFA) and policies to prevent data leakage also creates delays and productivity losses, which are equally detrimental to the bank.
The question now is how the bank would secure its core systems and prevent data breaches or fraud while providing seamless access to (TPPs.The need of the hour – a simplified access solution
When the challenge is three-pronged, so should be the solution. For TPP vendors and agents, we need some measures to track usage and provide an audit trail. For TPPs accessing banking applications, we also need Multi-Factor Authentication (MFA), as well as something like biometric authentication that is difficult to duplicate, but the implementation must be simple enough to not be a stumbling block to adoption.
Last but not least, the devices accessing the banking applications, processing information provided by the applications, and transmitting this data must be secured to prevent:
- Storage of this data
- Prevent the user from accessing the applications from multiple devices
- Network and transport-level security and encryption to prevent interception and spoofing
- Restrictions on screen grabbing, screen sharing, and screen scraping
- Zero-Trust Architecture (ZTA) to make sure the devices accessing the applications have a security posture compliant with the requirements
Now that we have security, we must also facilitate access for authorized users and devices. A simple approach to this would be to use tools such as directory services to provide single sign-on (SSO) using SAML, LDAP, Microsoft Active Directory, or any other directory services tool. SSO brings significant advantages of productivity and speed when combined with ZTA and device-level security.
A straightforward solution
Accops is synonymous with secure workplaces around the world, and the portfolio of products encompassing HySecure, and HyID are efficient and effective controls that banks and financial services institutions can utilize to secure their systems and third-party access. Providing end-to-end security from the device to the network, to how the users access the applications, Accops covers all the bases to ensure it is smooth sailing across the board.
- Accops HySecure provides an efficient and effective Zero-Trust Network Access solution for banks and financial services companies to allow Bring Your Own Device (BYOD) for agents and vendors without compromising on security or data leak protection. Additionally, the configurable policies allow white and blacklisting of websites and on-demand blocking of the internet while allowing collaboration tools to function.
- Accops HyID provides biometric Multi-Factor Authentication to prevent unauthorized access of vendor or agent devices while also providing the appropriate audit trail of logs. In addition, HyID also allows or blocks access based on geo-location, and since it is enabled by SSO and directory services, vendors or agents who have switched jobs will no longer have access to the applications, thus preventing data leakage.
Putting a bow on it
With regulators tightening the compliance dragnet even as the market demands more access, banks and financial services organizations must rise to the challenge or be left behind. The third-party processing marketplace is growing exponentially as we speak.
And remember the 350 million payment users we mentioned at the beginning? It is stated to double by 2030.