Guest blog (RBS): Open Banking and fraud

A Q&A between Richard Hayllar, partner at TLT and Alasdair MacFarlane, head of fraud at RBS and a speaker at our inaugural Open Banking conference 

To what extent is the fraud threat changing in the UK, and what is the role played by Open Banking in any shift? Richard Hayllar, partner at TLT, spoke to Alasdair MacFarlane, head of fraud at RBS, following his presentation at TLT's Open Banking conference in February. 

How is fraud risk changing?

The past two years have seen more regulatory change around data handling and protection than ever, with even more in the pipeline. At the same time, the rise of digital and mobile channels, plus transitions like the move to real-time payments, have changed the landscape and made the UK arguably even more attractive as a target for organised crime. 

This change doesn't concern us, but it does mean the dial has moved – and those holding data have to respond to the changed fraud risk.

What’s the best way to stay ahead of fraudsters?

The challenge for those of us in charge of fraud risk in banks, when you get this kind of substantive change, is to think like a criminal and predict their next steps in fraud. When criminals survey what’s happened, where are they most likely to concentrate their efforts? What are the weak links with the greatest potential upside that they might look to exploit? 

What are the main risks in relation to the wider release of customer data under Open Banking?

There are four main risks under Open Banking: 

It creates an increased ‘attack surface’ for criminals to go after
Potential data loss via the new-to-the-scene third party providers 
We might also see an impact on core systems from unexpected usage 
Increased risks around fraud in general, in today’s ‘data-driven society’ where data has a real value

Does the way that consumers will behave in relation to this new form of data sharing add to the risk of fraud?

Undoubtedly, yes. With Open Banking, consumers have the capability to aggregate their banking platforms in one place. So if that single platform gets compromised, then potentially several accounts are compromised at once. It could put pressure on banks to reassess and re-engineer security controls and processes, so we have to be alive to that.

What are the most likely sources of attack?

The biggest risks are from attacks using social engineering – in other words, exploiting people as the weakest link. Cyberattacks are not limited to exploiting technical vulnerabilities. 

Open Banking could well trigger an increase in social engineering attacks against customers who may be inexperienced in using new technology platforms. Risks include phishing – in all its variants – malware, fraudulent apps, and physical theft or loss of endpoint devices that could provide access to third parties.

How can these risks be mitigated?

Education and awareness-raising are a key part of the picture, as is the capability to authenticate and authorise using today’s function-rich devices. Multi-factor authentication can get us a long way.

Behind the scenes, too, early identification of fraud will also hold the key to limiting any damage that arises. For example, if banks like RBS can identify mule networks and accounts effectively, that’s another way to avoid problems and limit damage. It’s the kind of work we are doing all the time – identifying and dealing with threats so that our day-to-day business can continue.

Should we be optimistic about capabilities to manage fraud threats?

Optimistic, yes; complacent, no. As a society, we have all the tools and capabilities to keep a lid on the risks that are coming at us – and a responsibility to plan for those risks that are still around the corner. It's important to keep watching, learning and updating.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Date published

09 May 2018


View all