Understanding where Open Banking is most exposed
Nearly half of financial institutions—46%, according to a 2024 PYMNTS study—believe that the risks of Open Banking outweigh the benefits, largely due to concerns around fraud. That level of concern reflects the reality security teams are facing on the ground.
The move to Open Banking has shifted the perimeter. In the past, user authentication and fraud detection could live inside a single bank-owned app. Now, data flows across third-party apps, aggregators, and embedded finance platforms—many of which introduce new risk. Open Banking API call volumes are projected to surge 427% to 720 billion globally by 2025, dramatically expanding the attack surface. Meanwhile, nearly 60% of banks, fintechs, and credit unions experienced more than $500,000 in fraud losses last year, with a quarter reporting losses over $1 million.
Credential stuffing and account takeover
Credential stuffing is a persistent and damaging threat. Attackers test leaked usernames and passwords against login endpoints in bulk, hoping to hijack real accounts. It’s a low-cost, high-yield tactic, and Open Banking increases its potential surface: not only bank portals but budgeting apps, neobanks, and payment interfaces can all be targeted. A successful login often means access to linked accounts, stored payment credentials, and sensitive financial data.
Fake account creation and synthetic identities
Fraudsters are also taking advantage of rapid onboarding workflows by creating fake or synthetic accounts, at scale. These accounts are used to exploit promotions, funnel stolen funds, or establish a foothold for more complex fraud schemes. In an ecosystem that relies on trust and real-time decision-making, that’s a serious problem.
API abuse and scraping
Even when authentication flows are solid, the APIs behind them can become a liability. High-volume scraping, logic abuse, and application-layer DDoS attacks can all disrupt services or expose data. Aggregators, often connecting to multiple banks and fintechs, represent a uniquely attractive target: a compromise in one can cascade across many institutions.
