3rd Party Risk Management , Governance & Risk Management , Video
FIs Face New Liabilities From CFPB's Rule on Open Banking
Datos Insights' John Horn on How Open Banking Enhances Consumer Control Over DataThe Consumer Financial Protection Bureau's open banking ruling shifts liability burdens onto banks, amplifying their responsibilities for securing data shared with third-party fintechs. John Horn, director of cybersecurity practice at Datos Insights, explained how this leaves banks accountable for breaches that originate from third parties.
See Also: What to Do Based on 2022: Expert Analysis of TPSRM Survey
"CFPB seems to have hamstrung the banks in terms of what they can do in demanding accountability from third-party fintechs, while the documentation requirements on banks are far more extensive," Horn said.
Critics argue the ruling falls short by not mandating the transition from outdated screen-scraping methods to secure APIs, which leaves gaps in fraud prevention and consumer data protection, he said.
"When financial institutions get their API security solutions in order, the API security channel is much stronger. If you put API security, passkeys and phishing-resistant multifactor authentication together, these are significant defense mechanisms against risks of screen scraping," he said.
He added that Europe's open banking model sets a stronger precedent with prescriptive, date-driven regulations, whereas North America lags behind in adopting robust security frameworks.
In this video interview with Information Security Media Group, Horn also discussed:
- How open banking enhances consumer control over financial data;
- Where banks are likely to invest in 2025;
- The re-emergence of customer identity and access management and why that is important.
Horn leads the cybersecurity practice at Datos Insights, which provides valuable cybersecurity and identity research, insights and advisory services to financial services firms. He functions as a distinguished industry expert and critical thinker within the rapidly evolving domains of identity, cybersecurity and risk.