For thirty years, banking cybersecurity worked like a medieval castle. Build the walls high. Control the gates. Decide who gets in. The data sat inside; the threats sat outside; the perimeter was the thing you defended. It was a simple model, and it was already breaking down before PSD2 went live. Open Banking just made the breakage impossible to ignore.
The moment a bank exposes a customer-permissioned API to a third party, the castle metaphor is dead. The walls have doors that the bank doesn't control. Customer data flows to apps the bank has never heard of. The threat surface isn't a perimeter any more, it's a network of dependencies that includes startups the bank cannot audit, cloud providers it doesn't operate, and end users on devices it has no visibility into. Every API call is a potential point of compromise, and every third-party provider in the chain is, by definition, a part of the bank's own attack surface.
Most institutions responded to PSD2 the way large organisations usually respond to regulatory change. They built the APIs because they had to, bolted on consent flows and rate limits, and called it secure. What few of them did was rebuild the underlying assumptions. The result is a strange hybrid: an open API estate sitting on top of a closed-perimeter security posture, with the gap between the two papered over by compliance documentation. It works in steady state. It does not work when something goes wrong.
And things will go wrong. The attackers have already noticed that the weakest link in an Open Banking ecosystem is rarely the bank itself. It's the smallest, most under-resourced TPP with the broadest permission scope. Credential stuffing, token replay, OAuth misconfiguration, social engineering of consent flows. These are not theoretical risks. They are the early signals of what the next five years of financial cybercrime are going to look like.
The shift required is not technical. The technology exists, and most of it is well understood. The shift is conceptual. Identity becomes the perimeter, not the network. Every request gets verified, every time, regardless of where it originates. Permissions are continuous and contextual, not granted-once. Behavioural analytics replace IP whitelists. Risk scoring runs on every transaction, not just the suspicious ones. The phrase being used for this in security circles is zero trust, and while the term is becoming a marketing cliché, the principle behind it is exactly what Open Banking demands.
There is also a governance problem hiding inside the technical one. When a customer authorises a third party to access their account data, who is accountable when something goes wrong? The bank, who designed the API? The TPP, who held the data? The aggregator in the middle? The regulator who licensed the chain? Open Banking has multiplied the number of parties with skin in the game without clarifying the rules of liability between them. The cybersecurity model will eventually have to follow the regulatory one, and right now neither is fully mature.
The institutions that take this seriously now will look prescient in three years. The ones that don't will look exactly like the institutions that ignored cloud security in 2014. The story is rarely different.