The security issues of two major initiatives presented by the Central Bank that will change the face of the financial system are still being defined: open banking and instant payment, scheduled to start operating in November. Leandro Vilain, business and operations director at Febraban, explains that open banking will give the customer autonomy in the use of their bank details, facilitating sharing with other institutions.
Carlos Eduardo Brandt, deputy head of the competition and financial market structure department at the Central Bank, says that instant payment will facilitate and cheapen financial transactions with electronic transfers in real time 24 hours a day, seven days a week, the year whole. It began to be designed in 2018 by BC and discussed with the market in 2019. In February, BC announced the PIX brand.
“In the instant payment, the BC was disclosing technical specifications for consultation with the market even before the regulation was released. In open banking, the BC discussed the regulatory issues a lot and all the technical deepening is still being developed by the market, under the supervision of the monetary authority ”, says Adriano Volpini, director of corporate security at Itaú Unibanco.
The public consultation on open banking was opened on 28 November 2019 and ended on 31 January. According to João André Pereira, head of the BC's financial system regulation department, more than 400 contributions are being analyzed, many related to security. The final rule will be announced by the end of May, and up to 360 days later, there will be implementation in three stages.
"The market will have to structure a convention, defining the operational elements of governance, standardization of APIs, security and cost sharing", says Pereira.
Caio Fernandes, deputy head of the BC's information technology department, observes that the risks involving data leakage, arise from the second phase, when registration and account data will be shared. After the implementation of open banking, the entire financial market will operate on a standardized technological model. To this end, a working group was created coordinated by the BC and made up of six representatives of the entities of the financial system: Febraban, Abecs, ABBC, OCB, ABCD, Abipag, Abranet, CâmaraNet and ABFintech.
“Open banking will allow apps to work more efficiently, without having to access internet banking”, explains Diego Perez, executive director of the Brazilian Association of Fintechs (ABFintech).
Caio Fernandes informs that, for instant payment, the BC took advantage of the experience of the Brazilian Payment System (SPB) and TED and features of encryption, double authentication and anti-scan solution, to prevent robots from testing random numbers until accessing the data of users, as in Australia's payment system.
A critical point is regarding liability in the event of a leak. Pereira explains that strict responsibility is already foreseen in consumer relations, establishing that, in principle, everyone is responsible, unless they prove otherwise. The concept was confirmed in the General Personal Data Protection Act (LGPD).
“There will be a large flow of information between people, with a risk of leakage and misuse of information. It will take discipline and each agent will be responsible for their participation in the process. The customer can start the transaction at the bank, and it can be attacked at another link in the chain ”, warns Volpini, from Itaú Unibanco.
Vilain, from Febraban, points out that data sharing requires user consent in both institutions: the donors and the recipients. They must use the data for the specific purpose and accepted by the customer. "The new processes in this ecosystem can be one of the biggest risks of fraud, since there will be several portals where the user can start the data sharing process", warns Vilain.
For fintechs, the opportunities are endless. Ralf Germer, CEO of PagBrasil, says that open banking will allow the company to access information to analyze credit risk for retailers. Bankly, Access's banking as a service solution, already provides APIs for partners. "To avoid leaks and fraud, we use the model that the BC has already defined for three authentication factors," says Marilyn Hahn, president of Bakly.
Loise Nascimento, legal and regulatory manager at MovilePay, the MovilePay Group's payment fintech, says the solution already allows payment by QR Code, through the iFood app. "In the future, open banking can be used to offer credit," he concludes.
The security issues of two major initiatives presented by the Central Bank that will change the face of the financial system are still being defined: open banking and instant payment, scheduled to start operating in November. Leandro Vilain, business and operations director at Febraban, explains that open banking will give the customer autonomy in the use of their bank details, facilitating sharing with other institutions.
Carlos Eduardo Brandt, deputy head of the competition and financial market structure department at the Central Bank, says that instant payment will facilitate and cheapen financial transactions with electronic transfers in real time 24 hours a day, seven days a week, the year whole. It began to be designed in 2018 by BC and discussed with the market in 2019. In February, BC announced the PIX brand.
“In the instant payment, the BC was disclosing technical specifications for consultation with the market even before the regulation was released. In open banking, the BC discussed the regulatory issues a lot and all the technical deepening is still being developed by the market, under the supervision of the monetary authority ”, says Adriano Volpini, director of corporate security at Itaú Unibanco.
The public consultation on open banking was opened on 28 November 2019 and ended on 31 January. According to João André Pereira, head of the BC's financial system regulation department, more than 400 contributions are being analyzed, many related to security. The final rule will be announced by the end of May, and up to 360 days later, there will be implementation in three stages.
"The market will have to structure a convention, defining the operational elements of governance, standardization of APIs, security and cost sharing", says Pereira.
Caio Fernandes, deputy head of the BC's information technology department, observes that the risks involving data leakage, arise from the second phase, when registration and account data will be shared. After the implementation of open banking, the entire financial market will operate on a standardized technological model. To this end, a working group was created coordinated by the BC and made up of six representatives of the entities of the financial system: Febraban, Abecs, ABBC, OCB, ABCD, Abipag, Abranet, CâmaraNet and ABFintech.
“Open banking will allow apps to work more efficiently, without having to access internet banking”, explains Diego Perez, executive director of the Brazilian Association of Fintechs (ABFintech).
Caio Fernandes informs that, for instant payment, the BC took advantage of the experience of the Brazilian Payment System (SPB) and TED and features of encryption, double authentication and anti-scan solution, to prevent robots from testing random numbers until accessing the data of users, as in Australia's payment system.
A critical point is regarding liability in the event of a leak. Pereira explains that strict responsibility is already foreseen in consumer relations, establishing that, in principle, everyone is responsible, unless they prove otherwise. The concept was confirmed in the General Personal Data Protection Act (LGPD).
“There will be a large flow of information between people, with a risk of leakage and misuse of information. It will take discipline and each agent will be responsible for their participation in the process. The customer can start the transaction at the bank, and it can be attacked at another link in the chain ”, warns Volpini, from Itaú Unibanco.
Vilain, from Febraban, points out that data sharing requires user consent in both institutions: the donors and the recipients. They must use the data for the specific purpose and accepted by the customer. "The new processes in this ecosystem can be one of the biggest risks of fraud, since there will be several portals where the user can start the data sharing process", warns Vilain.
For fintechs, the opportunities are endless. Ralf Germer, CEO of PagBrasil, says that open banking will allow the company to access information to analyze credit risk for retailers. Bankly, Access's banking as a service solution, already provides APIs for partners. "To avoid leaks and fraud, we use the model that the BC has already defined for three authentication factors," says Marilyn Hahn, president of Bakly.
Loise Nascimento, legal and regulatory manager at MovilePay, the MovilePay Group's payment fintech, says the solution already allows payment by QR Code, through the iFood app. "In the future, open banking can be used to offer credit," he concludes.