Open source payments and banking
platforms are gaining in popularity – offering flexible and
cost-effective solutions to banks looking to keep us with
technological development. But what is the impact of these open
source platforms on security, asks Christine Toner?
With new regulation ushering in the need for
greater transparency and efficiency most financial institutions
have recognized that an overhaul, or at least significant
development of their IT infrastructure is due.
A key driver in this is the desire expressed
by bank customers to have easier and more efficient access to their
bank accounts. After several years of bad press and, in some cases,
bad behaviour, confidence in the banking sector is at an all time
low. If banks want to go some way to restore that confidence they
need to work to meet public demand for better services.
Mobile banking apps are starting to become
more prolific according to a survey by You Gov and App specialist
Antenna, 25% of mobile phone users in the UK now use banking apps
on their phones.
Vendors and developers of the IT platforms of
the heart of these apps are therefore in high demand. And as the
technology develops faster, banks are requiring increasing
As reported in Electronic Payments
International’s sister title Retail Banker International
(RBI), recently software developer Backbase created an app store
for banks with access to pre-built functionalities.
Jouk Pleiter, CEO of the
Netherlands-headquartered vendor, told RBI that the app
store’s main benefit to banks is the enhanced – and faster –
marketing opportunity, because banks will not need to develop apps
“Banks can choose from a selection of
pre-build functional components which they can then configure and
integrate with their own portal,” he explains.
Of course the idea of banks developing their
own apps raises some security concerns.
Sam Madison-Jammal is managing director for
the international division of vendor Open Solutions.
“The challenge has always been how one can
deliver a banking solution for core banking, payments and
commercial and provide the customer with the ability to develop
additional functionality (local requirements, bank specific, etc)
while ensuring code integrity, security, compatibility with future
releases and consistency,” he says.
In order to look at the issue of security, and
whether this can indeed be achieved, one needs to clearly define
what we mean by open source. There has been some debate amongst
industry players over its definition.
Maria Nottingham, global marketing director at
technology provider, Compass says it is not uncommon among industry
players to offer the source code to their customers or partners, so
there are “a few open-source systems” out there. But a lot of
players have a different slant on the definition of an open source
“You can have publicly available source code
for anyone to use for free or at a nominal price, you can have
source code that is only available under strict license agreements
and is non-transferrable, then there is also the question of how
much of the code is available, but so long as some elements of the
code are available the system can be classed as open source,” she
Nottingham says the growth of “true” open
source platforms is occurring primarily in new payment channels and
in innovative and other up-and-coming areas of payments and
banking. It can also be seen in markets where financial service
organisations are facing a large number of uncertainties,
continuously changing business requirements, challenging
implementation timelines for new products, stringent new payment
legislation and increasing competition.
And when it comes to security, Nottingham says
“closed” software is considered mainly as a disadvantage rather
than a benefit because open source software offers an opportunity
for experts to see first-hand the security features of the
“All modern cryptographic algorithms (DES,
RSA, AES, SHA) are open,” she adds. “Their integrity has been
analysed by security experts from all over the world many times
over and this guarantees the security of their usage.”
Many experts believe software of a closed
nature offer marginally higher protection against security breaches
but does not allow for independent and impartial analysis and there
are a few well-publicised examples, whereby proprietary algorithms
were too weak and the systems were hacked.
Nottingham says with regards to shifting the
responsibility to banks, this depends on the vendor. She says any
reputable vendor will take responsibility for the security aspect
of their platform, be it closed or open source.
“We guarantee the security of all mission
critical components of our platform,” she says. “It also contains
all of the required tools and services to allow our customer or
partner to, in turn, develop safe and secure banking solutions,”
“As a vendor we do not completely step away as
soon as the development tools and code is passed over to the
customer and believe that consultation and auditing the
customer/partner-developed systems is important,” she says.
“But the vendor can only go this far, as no
one will take the responsibility for something that was developed
by someone else.
Open Solutions applies the same approach.
Madison-Jammal says in addition to the tools his firm has developed
(including DNACreator, CMC and SQR), it has established a
validation process that ensures that functionality developed by
clients complies with a number of rules, after which, a lender must
The message is clear then – banks are driving
the development of more flexible, more innovation-friendly
platforms, but they cannot have their cake and eat it. With that
flexibility comes an increase in responsibility when it comes to
developing and building on those platforms.”