Cryptocurrencies prove that technology makes it difficult for policymakers to balance between encouraging valuable financial innovation and regulating dangerous economic hype. Data-sharing applications that facilitate open banking are the latest examples of technological innovations that provide valuable new competitive opportunities for financial institutions and their customers. But by now, policymakers should realize that cyberspace is an area of mistrust for buyers.
Sharing data so consumers can make financial transactions more efficiently sounds great. Third-party vendors who get their hands on this valuable information will certainly think so. But financial institutions must be careful about sharing the massive amounts of highly confidential data they keep about customers who often misunderstand the relative risk/benefit of sharing it.
Open banking typically relies on innovative application programming interfaces (APIs) that allow consumers to share their banking and credit card transaction data with everyone from financial services to healthcare providers to increase functionality and efficiency. Although platforms that share data with such apps and services can save consumers time and money, as soon as data is shared between businesses or industries, the risk of performance failure and the potential for fraudulent access to third-party vendors increases, not to mention creating serious risks to economic infrastructure and national security. The more vendors that touch or are not responsible for a user’s data, the greater the number of vulnerabilities.
We fully agree with a recent BankThink article that there is a growing need for regulatory protection of financial data. But it’s not clear that any combination of federal agencies can play the role of effective gatekeeper at this point, given the notoriously insecure nature of the internet. Only the broadest and deepest technological experience and expertise, both inside and outside of government, will enable us to move towards a safer environment based on sound regulatory principles.
Giving consumers what they have been convinced they need to make their financial lives smarter and more efficient without a full understanding of the implications is increasingly viewed as short-sighted and highly dangerous.
As open banking platforms are increasingly implemented in Europe and Asia, there is growing economic and competitive pressure on financial institutions in the United States to share their platforms and join this orgy of data. But these advances signal massive shifts in the traditional financial infrastructure that require planning, anticipation, and corrective solutions when things go wrong.
The savings and conveniences gained from open banking could be significant. A January 2022 draft report from the Department of Commerce’s National Institute of Standards and Technology written by a group of academics and technologists (none of whom appeared to be experts in financial services or payment systems) summarized the advantages that open banking should create. But that has largely overshadowed the security challenges that are being created.
The report states that “having an open platform should stimulate ways to secure financial systems, for example by enabling better methods of detecting and preventing fraud. Not specific “should” are generally worth very little in the real world, as evidenced by a March 3 comment letter from several financial trade associations which concluded that, contrary to both the title and the purported purpose of the report, it did not sufficiently address the complexities and risks that open banking enterprise can introduce, and did not offer a single recommendation regarding privacy, national security, or cybersecurity.
So why should sensitive data be shared with potentially untrusted third parties over networks that we cannot guarantee are or will remain secure? Frankly, the euphoria about new technologies and the alleged time and cost savings that every new product seems to boast about seems to cloud the risks they create for financial and national security. This is not a new problem, but its magnitude and size are.
Consumer data has always been collected and analyzed to predict consumer buying habits and maximize sales. When observers sat in mall parking lots and counted people, license plates, packaging and brands, it seemed like harmless marketing duty. Today, watchers have been replaced by facial recognition devices and drones that can merge their data with GPS, online, cellphone and social media data, demonstrating how things have evolved to create sophisticated shapes behavior analysis and control.
Our full fledged data surveillance society is now run by private companies, governments and others who understand the political and economic incentives to do so. Those who harness the power of data for themselves, including governments, understand the control that comes with it – something that can be used for purposes far beyond selling products. So here we are in a world that most of us never voted for or wanted to create for. Nevertheless, it’s on us.
These are extraordinarily complex problems, in large part because new technologies and their malicious users, including domestic and international criminals and foreign governments, continue to increase, narrowing the margins for error and dramatically raising the stakes. Until networks are more secure, there are significant risks to continuing to load more data and value into them. The solutions require a new form of global public-private collaboration that is so far from what we have ever seen that it will take years to develop and accept. Relying solely on governments to find these solutions is unrealistic.
It’s the dark underbelly of the data collection and surveillance society that was built while our heads were spinning. While technologies like open banking can create unprecedented financial improvements, they can just as easily be used to create societal and economic tyranny. Congress and regulators sit between these two extremes as arbiters of our financial future. The clock is turning.
(This article is adapted from Mr. Vartanian’s forthcoming book, “The Unhackable Internet: How Rebuilding Cyberspace Can Create Real Security and Prevent Financial Collapse.”)