Open banking: A solution looking for a problem to solve

Hayden McCall — Mon, 02 Jul 2018 05:16:21 +0000

It’s a hot topic across the financial services sector, but the jury is still out on just how much value open banking – which was due to commence in July, but has now been delayed eight months – will deliver to Australia.

Low awareness among consumers and challenges around compliance could see the concept wither and die before it’s had a chance to bloom.

Based on a system that is now in place within the United Kingdom, Australia’s forthcoming open banking system has been essentially modelled on the success of phone number portability. This regulatory change made it possible for people to keep their phone number and switch between different carriers in search of better deals or services.

Open banking promises similar flexibility in the financial sector. It is designed to allow people to go to a different financial services company and authorise them to make an assessment of their financial standing by accessing records that are held by their existing bank.

“‘Build it and they will come’ may work in many different areas, but the chances of it working when it comes to open banking are slim at best.”

While this sounds like an interesting concept, in the cold light of day it’s really nothing more than a solution in search of a problem. It might also be described as a fashionable soundbite that is easy to say but very difficult to actually get right in practice.

The bottom line is that the vast majority of people rarely, if ever, change banks. Because of the complexity and administration involved, they tend to stick with one institution through thick and thin. Anyone who thinks open banking will change this mindset is, unfortunately, deluded.

The data aggregation challenge
A second inhibitor for the success of open banking is the systems used by the banks themselves. The concept requires that customer data be in a form that can be readily exported to another authorised party.

In reality, this will be a lot harder to achieve than you might think. As a rule, banks don’t store all the data relating to a customer in a single database. Instead, it tends to be stored in different departments, across multiple systems, and in different formats.

Indeed, a bank may not know that all the products and services purchased and used by a particular individual actually relate to a single customer. A maze of different ID numbers, account names and access channels make joining the dots rather difficult.

To participate in an open banking environment, banks will be required to centralise their customer information in a way that has simply not been undertaken before. This will take significant investments in IT to design, roll out and manage.

As well as being a costly exercise to complete, this change to the way customer records are stored also has significant security implications. Once completed, there will then be a single data store within each bank at which cybercriminals can take aim. New security measures will be required, further adding to cost and complexity.

Third-party security
Open banking’s third key challenge stems from the array of new organisations that are going to be seeking access to customer financial records. These could potentially range from very small fintech start-ups to comparison web portals and even social media platforms.

Questions need to be asked about what these organisations will do with customer data in the longer term. If an individual opts not to take up a new product or service being offered, what will that organisation do with the records that have been received?

There are also questions around the quality of these organisations. Who is going to be responsible for assessing them to ensure they are legitimate? If a criminal group established a fake fintech firm with the goal of harvesting large numbers of customers records, what mechanisms would be in place to prevent them from operating?

Here the problems are likely to stem from the fact that such organisations could be granted authorisation to access records by a prospective customer prior to there being any contractual relationship in place between. The customer then has no guarantee the records will be deleted if no relationship actually results.

It’s clear there are a range of sizable challenges ahead for any open banking system in Australia. There are also questions around exactly how much demand there is likely to be from consumers. When open banking does officially come into existence, it could quickly become a ghost platform devoid of customers or commercial participants.

The mantra ‘built it and they will come’ may work in many different areas, but the chances of it working when it comes to open banking are slim at best.

ABOUT PHIL KERNICK//
Phil Kernick is chief technology officer and co-founder of information security consultancy CQR Consulting.

The post Open banking: A solution looking for a problem to solve appeared first on iStart keeping business informed on technology.

The downside of DevOps: faster isn’t always better

Jennene Kelly — Mon, 30 Oct 2017 01:35:12 +0000

The appeal of DevOps is its apparent ability to reduce the time required for the development process. The approach can significantly shorten projects and get new software up and running faster. This differs from the traditional ‘waterfall’ approach which begins with a specification, code methodically developed over time, rigorously tested and then deployed.

But there is a downside to DevOps which stems from the change in emphasis (speed over quality). Developer attention shifts from carefully checking and testing software thoroughly, to getting it up and running and then fixing any issues that arise after it is in production.

Suddenly, there is an uncomfortable tension between doing the development job fast and doing it well. And the ‘do it fast’ approach is winning.

Implications for security
Because DevOps has an impact on code quality, there are implications for security. If the development process results in more flaws going into production software, it creates big issues for the business. Systems could become more vulnerable to attack leading to instances of disruption and data loss.

The security situation is further exacerbated by the way developers work in a DevOps team. Because time is of the essence, many choose to create their own servers in a virtual environment rather than relying on system administrators trained in maintaining system integrity. While they gain rapid access to compute resources, it also means developers turn their backs on the very people focused on keeping systems secure.

This is concerning when compounded with the potential security problems with rapidly generated code. How can the developers be expected to secure the servers, too?

The trouble with DevOps is that it trivialises the infrastructure component, assuming it is easily mastered. Nothing could be further from the truth.

The role of iterative development
While it sounds like a disaster waiting to happen, it doesn’t mean there is no place for iterative development practices. In fact, DevOps can and does deliver the benefits of accelerating software development and time to market.

What’s required is an unwavering focus on security as an integral part of the DevOps process. When software security is overarching, from initial concept to final deployment, risks can be managed without impeding development timelines.

This can be achieved through automation tools which remove the human component. By taking humans out of the process whenever possible, development time is reduced without sacrificing quality.

Government regulation
Presently, there are no regulations governing software quality.

Without regulations, consumers have no protection against flawed software products and services dependent on the code. If the pace of development continues to accelerate, software development companies must be compelled to take security seriously.

This is important when considering, for example, autonomous cars or connected medical devices. Security is paramount when people’s lives are at risk. This must be enforced by appropriate regulation and oversight.

Rather than focusing on ‘fast at any cost’, the wider implications attached to software need to be considered. By looking at the whole picture, developers can take advantage of DevOps, while actively managing the downsides of the approach.

ABOUT PHIL KERNICK//

Phil Kernick is the Chief Technology Officer and co-founder of CQR Consulting. Phil has dedicated the majority of his career to information security, with more than 25 years in the industry.

The post The downside of DevOps: faster isn’t always better appeared first on iStart keeping business informed on technology.

Phil Kernick – iStart keeping business informed on technology

Open banking: A solution looking for a problem to solve

The downside of DevOps: faster isn’t always better