Background

A UK private bank was in the process of implementing their Open Banking solution in line with PSD2. Specifically, this involved creating APIs (Application Programming Interfaces) allowing TPPs (Third Party Providers) to access/share customer data and initiate payments on behalf of customers (with customer consent).

Working directly with the deputy CISO, Wavestone were brought onboard to ensure that their Open Banking Solution was secure and complied with PSD2 regulation. In parallel, Wavestone were also asked to review and advise on the login authentication process for the client’s e-Banking application.

What is PSD2 and Open Banking?

PSD2, the revised EU Directive on Payment Services, is part of the picture in developing electronic transactions. It represents a new step in standardising financial exchanges and follows PSD1. Open Banking mandates that the UK’s nine biggest banks release their data in a secure and standardised way so that it can be shared between registered organisations online.

What did Wavestone deliver?

  • Carried out an in-depth risk assessment report on the client’s Open Banking solution; analysing all processes involved (e.g. payment initiation process, TPP onboarding), identifying risks and advising on proposed mitigation.
  • Managed and implemented 30 key information security controls; this involved working directly with the information technology team to ensure PSD2 compliance and appropriate security measures were embedded into the technical solution e.g. log monitoring, encryption of data-in-transit, PIAs for GDPR compliance.
  • Completed grey-box penetration testing targeting vulnerabilities such as TPP spoofing, unauthorised privilege escalation, API authentication.
  • Supported the design of the client’s e-Banking login authentication process (mobile/desktop apps). We analysed user requirements and wireframes to ensure that login was seamless for the end-user but also met PSD2 Strong Customer Authentication (SCA) and dynamic linking requirements.
  • Acted as a key point of contact/conduit between the deputy CISO and the technical development team.

Key Challenge:

  • Coordinating between teams: our role was sat in between both the IT team developing the solution and the Information Security team (specifically the deupty CISO). As such it was pivotal that we maintained clear communications between all parties.

Results:

  • Key risks identified and appropriate mitigation measures proposed.
  • c.30 key information security controls implemented to help achieve compliance with PSD2 and improve the security of the client’s Open Banking solution.
  • Client’s Open Banking solution now live allowing for an improved customer experience and increased exposure to more client products.