On 23 April 2024, UAE Central Bank’s Etihad Payments Company signed a partnership agreement with «Core42», one of the UAE’s «G42» Group providers of AI-enabling solutions, along with other partnerships with «Ozone API» and «Raidia» as technology service providers to launch and implement an open finance project in the UAE, as part of the initiatives of the Central Bank’s Financial Infrastructure Transformation Program.
In this article, we will talk about the «Open finance» concept and how it is different from open banking. We will then look at the main components, especially the API, and how it is important to secure this part using different approaches and tools.
The open finance project is part of the Central Bank’s ongoing efforts to achieve its strategic vision and objectives in its FIT (Financial Infrastructure Transformation) Program to accelerate the digital transformation of the financial services sector, which consists of nine key initiatives introduced on 12 Feb. 2023.
The Open Finance Regulation now makes participation in the Open Finance Framework (managed by the CBUAE) mandatory for the «Licensees» — UAE banks and foreign bank branches licensed in the UAE, as well as insurance companies — as part of a phased roll-out. They must provide Open Finance Providers with access to customer data and the ability to initiate transactions on customer accounts and products.
In this article, we will have a look at the open finance concept, its components, and the importance of data privacy and security in open finance. We will provide recommendations on how financial service providers can ensure that data privacy and security are protected.
Open banking and open finance: What is the difference?
In the financial world, we often see finance companies use the terms «Open Finance» and «Open Banking» interchangeably. However, there is a small but distinct difference between these two terms.
Open Finance is the next step beyond Open Banking.
In general, open banking allows consumers to share their bank accounts’ financial data with third parties, but this data is only limited to banking. Open finance is much broader.
Open finance enables access to and sharing of consumer data across even more financial products and services, not just banking. This includes loans, consumer credit, investments, and pensions. It also enables the wider integration of financial data with non-financial industries, such as healthcare and government. In open finance, consumers can grant trusted third parties access to their entire financial footprint for better experiences and personalized solutions to improve financial wellness.
Therefore, open finance gives everyone the right to access and act on their financial data to make financial decisions, enable new business models, and create a new consumer experience.
Consumers’ Financial Data Sharing
The Financial Data and Technology Association (FDATA) reported that nearly 90% of data being shared is done by «other technology,» and only 10% is shared using APIs. Actually, there are three ways of sharing consumer financial data:
- Screen Scraping or Credential Sharing
Screen scraping is the process of gathering data from one app by inputting user credentials (such as username and password) and displaying that data somewhere else. Screen scraping is less secure than more modern connectivity solutions like open finance APIs and adds more complications to the banks’ infrastructure, which affects the consumer’s experience.
- Whitelisted IPs
Whitelisted IPs allow the financial institution to sanction data sharing with specific IP addresses and see who is accessing their consumers’ data.
- Open Finance APIs
Open finance APIs allow consumers to access their transaction data without the need to share usernames and passwords. These direct connections replace credentials with tokens, delivering higher levels of security and faster speeds.
The new Open Finance Regulation in the UAE mandates that licensees who are data holders and service owners (the banks and insurance companies, based on the phased roll-out led by the CBUAE) must establish and maintain a dedicated interface to provide secure online access to accounts and products through the «API Hub» and other components of the Open Finance Framework.
The API Hub is the centralized «Application Programming Interface Hub» established by the CBUAE, through which parties will be able to access the Open Finance Framework.
This «Trust Framework» includes the:
- Participant Directory (facilitating the validation of participants in the framework).
- Digital Certificates (facilitating secure communications).
- API Portal (to hold all documentation on standards).
- Sandbox (facilitating participants’ ongoing testing and official conformance certifications).
Protecting Customer’s Financial Data
The Open Finance industry is aware that the sharing of data comes with inherent cybersecurity risks and potential for data leaks, and the holders of this data also face these same risks.
The most important aspect of the Open Finance framework is protecting consumer data while giving them control over sharing their financial data. Moving from screen scraping to IP whitelisting to Open API provides more security options for this shared data, but potential threats still exist, such as a reduction in the control people hold over data about them, greater financial exclusion, and data leakage.
Securing API Connections
Financial APIs are most often built to integrate a financial institution’s core banking platform with third-party data networks or applications, enabling two or more platforms to communicate and exchange data.
However, APIs are the primary entry point for hackers to exploit vulnerabilities. Consumers give rights to authorized parties to use their financial data, not to hackers who may exploit this data or even use the consumer’s money.
That’s why we need to consider API security seriously and how to stop data breaches.
Some of the most common types of API attacks are:
- Application-level denial of service (DoS) and distributed DoS (DDoS) attacks.
- SQL Injection Attacks.
- XML External Entity (XXE) Attacks.
- Cross-site Scripting (XSS) Attacks.
- Man-in-the-middle (MITM) Attacks.
To protect yourself and your customers’ financial data from such API attacks and other types of threats, you need to use a strong cybersecurity methodology along with powerful API security tools. Below are the top 5 API security tools in the market in 2024 listed by Gartner for the MENA region:
- Imperva API Security by Imperva
Imperva is a cybersecurity firm that assists organizations in safeguarding critical applications, APIs, and data across various scales and locations. It is an all-in-one robust API security software for businesses with high-end features for protecting systems and APIs holistically from all threat attempts and attacks.
- Wallarm API Security Platform by Wallarm
Provides comprehensive API protection against OWASP API Security Top-10 risks and other advanced API threats — including comprehensive visibility into your API estate, detection and remediation of API vulnerabilities and threats, and protection of sensitive data.
- Apigee API Management Platform by Google
Google Cloud’s native API management tool to build, manage, and secure APIs for any use case, environment, or scale.
- Akamai API Security by Akamai
API Security is a vendor-neutral API threat protection solution that does not require the use of other Akamai solutions. It complements existing Akamai API security solutions and ensures customers get comprehensive protection as attacks on APIs have become much more sophisticated, requiring new detection techniques and automated responses.
- Cequence Unified API Protection Platform by Cequence Security
Unifies API discovery, compliance, and protection capabilities to defend against attacks, business logic abuse, and fraud.
Conclusion
The UAECB Open Finance Regulation is a very positive step, opening up more opportunities for innovation, healthy competition, and service improvement across the payments landscape in the UAE. This will likely have a huge and beneficial impact on the fintech ecosystem at large.
On the other hand, each financial services organization should review and study its risks and threats, especially those related to API risks and threats, and should take the proper action to secure their customers’ financial data and protect them from being exploited by bad actors.
The Cloud Networks Solutions team is actively working to provide you with more information about these changes. We are engaging with leading market players to stay informed about the latest trends and developments. In the near future, we plan to hold a dedicated session on this topic, where you can get answers to all your questions and discuss important aspects of the new regulation.
Stay tuned for our updates to keep abreast of all upcoming events and developments. Your success and security are our priority!