Latest news with #OpenBanking


Forbes
4 days ago
- Business
- Forbes
JP Morgan Charges Customers for Data Access
The JP Morgan building in London's Canary Wharf financial district. An American investment bank and ... More financial services company. Two weeks ago news broke that JP Morgan Chase planned to begin charging third-parties fees to access customer data and Fintech Internet blew up. Immediate reactions ranged from 'Open Banking is Dead' to those championing the move as an inevitable one by banks who have invested millions in building the infrastructure needed to support open banking. Regardless of which end of the spectrum you sit on, the reality is this is not the first time JP Morgan has made bold moves. History shows us that those decisions have not always worked out as planned, but often are necessary to drive the market at Scale If you are a financial services nerd like me, chances are in October of 2015 you may have been at Money2020 in Las Vegas. In which case, you will most certainly remember the big splash JP Morgan made with the announcement of Chase Pay (they had cookies!) and Chase's plans to offer a bank digital wallet that would allow it to link Chase customers with Chase merchants. At the time the move was counter to the early industry momentum around other solutions such as Apple Pay and Google Pay and many saw it as a sign of a future where every bank had their own wallet. The thing is, that didn't work out. After several years of failed effort to push the Chase Pay wallet with customers, JP Morgan shut down the project and moved on. Undoubtedly, the bank learned a lot from the effort, and leveraged the technology and the business model with future merchant projects. However, just because the largest bank in the US announces, or even launches, something does not mean the rest of the industry will follow or that it is ultimately the model that will win. When you are as large as JP Morgan you get to 'test' ideas and see how the industry Role of Akoya What was also surprising to some about the recent JP Morgan data announcement is that many thought the ability to control access to customer banks data was exactly why JP Morgan joined its peers in founding Akoya, 5 years ago. When I interviewed Akoya's then CEO, Stuart Rubinstein, in 2021 he stated Akoya was, 'meant to help banks, to help aggregators, and help fintechs to connect, and solve the many-to-many problem of negotiating individual bilateral agreements and individual connections, so that we can get everybody on a safe, secure, transparent way of sharing data through APIs'. If that is the future JP Morgan signed up for then they may have gotten tired of waiting for Akoya to make it a reality. Akoya is clearly still working toward their mission; however, it remains to be seen if they will serve a greater role in creating the monetization framework that banks need to follow JP Morgan's lead, or if they are purely solving the technical connection Believe Everything You Read After working in the banking and payments world for the last 20 years, I've seen a lot of headlines along the way that were a bit…thin. A large tech player launches a new 'game changing' product that will completely rewrite the rules of money movement, or a bank announces a 'revolutionary' new credit product that customers have been craving for years. Rarely does the ultimate product live up to the initial headlines, and sometimes it never makes it to market at all. That is the first thing to keep in mind with the JP Morgan announcement. The media is here to tell a story and many times large organizations use the media to do just that. Often that story is to test an idea with the market or regulators, sometimes it is to get ahead of the impending reaction from customers or partners. Regardless of the exact reason, it's always important to realize that articles with quotes are not 'leaks' and are planted announcements. The question you need to ask is why is JP Morgan signaling this to the market?Value Attribution My theory would be that this announcement was released to allow JP Morgan to draw a line in the sand and say that the burden of cost for serving up customer data needs to shift to where the value is created or monetized. A notion I find hard to argue with. Yodlee, Plaid, MX, and others have built entire businesses on top of leveraging the data the banks provide. Even the large core providers charge banks to access their own data via APIs. The prices being quoted, the timing of implementation, or even the parties that it would apply to are likely all speculation because the reality is those details will be very nuanced, if they even go to market in that shape. Floating a pricing model allows JP Morgan to have leverage with partners and place value on their efforts to make customer data available in a secure way. There is also no doubt that the timing of this announcement is directly aligned with the political climate and the current questions around Rule 1033 and the CFPB as a whole. If there ever was a time for a bank to suggest they are going to directly or indirectly add cost to the end consumer, it's now. The thing is, political leaders come and go, and the regulatory environment often changes with them. It could be that JP Morgan feels it is important to try and set a precedent while the environment is more bank friendly so that there is a position to negotiate back from should the environment change. The line has been Forward A bank the size of JP Morgan is understandably going to make headlines with nearly every move it makes. My eye will be on what other banks do now that JP Morgan has broken the seal on participating directly in the monetization of customer data. My theory is that JP Morgan, and others like it, will continue to offer data directly to consumers through its own channels and key partners. Meanwhile, it will look to participate in the economics of any other 3rd party monetizing its customer data through fees. Several large banks will likely follow suit, while smaller banks may need to leverage Akoya or their core provider to aggregate access. For the aggregators, it may be time to firm up those corporate partnerships.

Finextra
15-07-2025
- Business
- Finextra
How Open Banking helps with Account Takeover Fraud Prevention: By Andrew Bonsall
While Open Banking transactions remain significantly less prone to fraud than other payment types, financial crime, particularly Authorised Push Payment (APP) fraud, is still a major concern across the ecosystem. In fact, Cifas' latest Fraudscape report shows a 76% surge in ATO cases, with more than 74,000 filed in 2024 alone. The spike in unauthorised facility upgrades and SIM swaps shows how quickly criminals bypass controls and take over accounts at scale. While telecoms and online retail saw the sharpest rises, the same tactics like remote access tools, spoofed identities, and phishing are being used across financial services. Traditional fraud models aren't built to pick up on these behaviours in time to prevent loss. To stay ahead, firms need to understand what's happening inside the account as it happens. That means access to live transaction patterns, not historical snapshots. This is where Open Banking data makes the difference. Missed signals behind 2024's fraud spike Cifas's recent Fraudscape 2025 report recorded a record 421,000 fraud cases in 2024, a 13% increase on the previous year, driven primarily by a 5% rise in identity fraud and a huge 76% jump in account takeover attempts. In particular, SIM swap fraud exploded by 1,055%, with nearly 3,000 cases impacting airtime accounts. This sharp rise in account takeover fraud reflects the key changes in how these attacks are being carried out. But while tactics have matured. Controls haven't. Many fraud models are still rooted in historical data and binary triggers: a flagged device, an unexpected login, or a change to contact details. But criminals are no longer working outside the lines. They're copying genuine user behaviour, using compromised credentials, and blending in with normal activity until it's too late. Traditional fraud controls struggle because they lack three things: timing, context, and behavioural insight. That's what allows high-risk activity to slip through unnoticed. What's being missed: Subtle changes in usage , like increased account access at unusual hours, or from slightly different locations (just enough to bypass geo-tracking but still signal a change). Micro-withdrawals or test payments that precede larger unauthorised transactions, missed due to fixed rule thresholds. SIM swap attempts or new device registrations that are flagged after the fact. Dormant account reactivation, which can look like a returning customer but is the start of staged fraud. What's changed in fraud risk: Illegal 'fraud-as-a-service' tools are lowering the barrier to entry. Even novice actors now have access to professional-grade scripts, phishing kits, and remote desktop tools. AI-enhanced social engineering is making impersonation more persuasive (Cifas notes a surge in spoofed voices being used to bypass phone-based verification). Scam infrastructure is industrialised, with organised groups running operations at the scale of legitimate businesses, complete with tech support, operating hours, and incentive schemes. Without real-time signals, many of these behaviours appear low risk until money moves or a customer reports an issue. By then, recovery is expensive, trust is eroded, and the window for effective response has closed. This is where Open Banking data comes into play. By analysing live transaction flows, spending patterns, and account behaviours, fraud teams can: ✅Detect anomalies based on actual customer behaviour. ✅Build contextual risk profiles that adjust dynamically over time. ✅Act faster on the first signs of high-risk activity, before the funds are gone. In short, it's the difference between observing a breach after it happens and spotting the warning signs in motion. What Open Banking data reveals Account takeovers don't always start with a bang. In many cases, they build slowly: a password phished weeks earlier, followed by low-level testing to see what goes unnoticed. By the time money is moved or a handset is upgraded, the groundwork has already been done. What's often missing in traditional controls is the ability to see this build-up. Open Banking data changes that. It offers a continuous feed of transactional and behavioural insight that helps identify when something isn't right, long before a formal red flag is raised. Key early indicators that Open Banking data can reveal: 🚩Unusual transaction patterns: e.g. out-of-character spending categories, new merchants, or transfers to unfamiliar accounts. 🚩Test transactions: small-value payments used to check account access or set up mule pathways. 🚩Sudden changes in regular income or spending flow: particularly where income disappears but spending continues at a similar rate. 🚩Withdrawals or payments from dormant or low-activity accounts: a frequent hallmark of takeover attempts. 🚩Clustering of failed transactions or reversed payments: indicative of probing activity, often missed by legacy systems. These are rarely visible through traditional credit data or one-off fraud triggers. But they stand out clearly when you're analysing how an account is being managed day to day. And for fraud teams under pressure to act earlier and with greater precision, this level of visibility is essential. The cost of inaction Account takeover fraud prevention measures need to be implemented quickly. Every missed signal adds cost. And not just financial: the operational burden of remediation, the regulatory scrutiny that comes with customer harm, and the long-term reputational damage, particularly to those vulnerable customers. What firms are facing: Escalating financial exposure as takeovers lead to unauthorised credit, cash withdrawals, or third-party losses. Increased servicing costs , with resource-heavy case reviews, complaints handling, and reimbursement processes. Compliance risk , especially when vulnerable customers are affected and Consumer Duty expectations aren't met. Erosion of trust, both from customers and partners, as fraud events become more visible and reputationally damaging. What's more, with regulatory focus on vulnerability and outcome-based compliance continuing to rise, account takeover fraud also brings a heightened risk of non-compliance with Consumer Duty, SMCR obligations, and complaint-handling requirements. Detection capabilities must now be auditable, explainable, and built for live environments. The Cifas data reinforces this. In 2024, individuals aged 61+ were among the most common victims of account takeover. The same year, the UK public lost £11.4 billion to scams, most of which were never reported. The bottom line: Preventing fraud protects customers, maintains confidence and demonstrates that risk frameworks stand up to scrutiny. Main takeaway: When fraud moves fast, your data has to move faster The sharp rise in account takeovers is unlikely to be a temporary spike. As criminals become more coordinated and tactics more advanced, the ability to detect risk in real-time becomes essential. Open Banking data is already playing a central role: giving fraud teams the visibility to see what's happening inside the account before the warning signs become losses.


CNBC
14-07-2025
- Business
- CNBC
Block leads rebound in fintech stocks as analysts downplay JPMorgan data fee risk
Block jumped more than 5% on Monday, leading a rally in shares of fintech companies as analysts downplayed the threat of JPMorgan Chase's reported plan to charge data aggregators for access to customer financial information. The recovery followed steep declines on Friday, after Bloomberg reported that JPMorgan had circulated pricing sheets outlining potential fees for aggregators like Plaid and Yodlee, which connect fintech platforms to users' bank data. In a note to clients on Monday, Evercore ISI analysts said the potential new expenses were "far from a 'business model-breaking' cost increase." In addition to Block's rise, PayPal climbed 3.5% on Monday after sliding Friday. Robinhood and Shift4 recorded modest gains. Broader market momentum helped fuel some of the rebound. The Nasdaq closed at a record, and crypto rallied, with bitcoin climbing past $123,000. Ether, solana, and other altcoins also gained. Evercore ISI's analysts said that even if JPMorgan's changes were implemented, the most immediate effect would be a slight bump in the cost of one-time account setups — perhaps 50 to 60 cents. Morgan Stanley echoed that view, writing that any impact would be "negligible," especially for large fintechs that rely more on debit, credit, or stored balances than bank account pulls for transactions. PayPal doesn't anticipate much short-term impact, according to a person with knowledge of the issue. The person, who asked not to be named in order to speak about private financial matters, noted that PayPal relies on aggregators primarily for account verification and already has long-term pricing contracts in place. While smaller fintechs that depend heavily on automated clearing house (ACH) rails or Open Banking frameworks for onboarding and compliance may face real pressure if the fees take effect, analysts said the larger platforms are largely insulated.


Zawya
08-07-2025
- Business
- Zawya
Bank Nizwa unlocks new horizons for fintech with Sharia-compliant open banking services
Muscat: In a move that underscores its growing leadership in Sharia-compliant digital banking solutions, Bank Nizwa — the leading and most trusted Islamic bank in the Sultanate of Oman — has introduced a Sharia-compliant Open Banking solution for fintech partners. This initiative aligns with the Central Bank of Oman's (CBO) vision to foster innovation in the financial sector and accelerate digitalization in banking to strengthen the nation's digital financial ecosystem. The solution empowers fintechs and partners to design innovative financial solutions within a framework that upholds the highest standards of regulatory integrity and full compliance with Islamic Sharia principles. Commenting on this, Mr. Khaled Al Kayed, Chief Executive Officer of Bank Nizwa, stated, 'At Bank Nizwa, we see Open Banking as a powerful enabler – one that allows us to push the boundaries of what Islamic banking can offer in today's fast-moving digital landscape. This initiative reflects our commitment to shaping a future where Sharia-compliant finance converges with cutting-edge digital capabilities, offering our partners and customers unprecedented access to smarter, more personalized financial solutions. It is a continuation of our efforts to make banking more connected, more intuitive, and deeply aligned with the evolving needs of those we serve.' The Open Banking solution has been thoughtfully designed to create value for all stakeholders across the financial ecosystem, delivering enhanced functionality while remaining firmly grounded in the principles of Islamic finance. Built on a secure API framework, it enables authorized third parties to access account data and banking services through customer-approved permissions, ensuring transparency, data protection, and regulatory alignment. This architecture allows financial institutions and developers to connect with Bank Nizwa's core systems in real time, accelerating the development of next-generation digital offerings and expanding the reach of Sharia-compliant financial innovation. For Fintechs, it provides a robust and scalable foundation to bring Sharia-compliant solutions to market with greater speed and efficiency. Customers, in turn, benefit from a more intelligent and advanced banking experience, with services that are increasingly customized, responsive, and easy to access. The solutions strengthen the broader financial landscape and support the evolution of more inclusive, tech-driven banking services. As Open Banking continues to reshape the financial landscape, Bank Nizwa remains focused on ensuring that the principles of Islamic finance evolve in tandem with these advancements. By championing technologies that foster transparency, adaptability, and greater financial participation, the bank is helping shape a digitally mature ecosystem that is responsive to both present-day needs and future opportunities. This latest initiative reflects Bank Nizwa's long-term approach where strategic investments in innovation are matched by a deep commitment to purpose-driven growth and lasting impact.


Techday NZ
03-07-2025
- Business
- Techday NZ
Most fintechs fail API security, risking sensitive payment data
New research conducted by Raidiam highlights significant weaknesses in API security across fintech companies, SaaS platforms, payments firms, and other enterprises operating outside regulated environments such as Open Banking. The report, which assessed security practices at 68 organisations, reveals that 84% remain vulnerable due to insufficient API protections, even when dealing with sensitive or high-value data. Widespread vulnerabilities The research indicates that 85% of the surveyed organisations handle either payment data or special category personal data, yet only one met the benchmark for modern, cryptographic API protection. The study found that outdated or insufficient controls—such as the use of static API keys and basic OAuth secrets—prevail among most firms, leaving them open to exploitation. "We've all read the recent headlines; API security should not be an afterthought. The gap between the sensitivity of data and the strength of controls is a board-level risk – not just a technical issue," said David Oppenheim, Head of Enterprise Strategy at Raidiam. Of the organisations surveyed, 57 out of 68 use bare API keys or basic OAuth credentials, mechanisms that have well-known security vulnerabilities. Less than half conduct regular API-specific penetration testing or runtime anomaly monitoring, measures deemed essential for identifying and addressing potential attack vectors in real time. Real-world consequences The report points to the 2023 Dell partner API breach as evidence that attackers are already actively exploiting these weak points in enterprise systems. These incidents underscore a growing risk for any entity exposing sensitive APIs without robust protective measures in place. According to the report, a Security vs Sensitivity Matrix mapping exercise revealed a severe misalignment between the sensitivity of the data held and the strength of security controls implemented. This mismatch increases the likelihood and potential impact of security incidents. "We found that even firms handling payment and personal data still rely on static API keys and basic secrets. In today's threat landscape, that's the digital equivalent of leaving the vault door open," Oppenheim added. "In regulated environments like Open Banking, stronger controls like mutual TLS and certificate-bound tokens are already standard. Outside those frameworks, there's a gaping hole." API risk in unregulated environments is becoming a prominent concern in the industry. In early 2025, the Chief Information Security Officer at JPMorgan Chase issued a public warning about rising vulnerabilities linked to third-party platforms, advocating for a shift towards prioritising security over rapid development. Gartner statistics cited in the report indicate that API breaches tend to leak 10 times more data than traditional attacks. The report states, "This isn't theoretical — attackers are already in." Recommendations for addressing risk The report provides a four-step action plan for organisations seeking to bridge the gap between data sensitivity and protection. It recommends elevating API security to a board-level priority, modernising controls through cryptographic methods such as mutual TLS (mTLS) and sender-constrained access tokens, increasing investment in developer awareness and security testing, and working with trusted partners to accelerate adoption of proven standards and infrastructure. Raidiam's expertise in secure digital data-sharing ecosystems is currently being made available to assist enterprise organisations in bringing API security standards up to date and closing the gaps identified by this research. Follow us on: Share on: