Security Challenges in Open Banking: A Systematic Review and Conceptualisation of a Tri-Dimensional Security Framework

Background: Open banking (OB) is rapidly transforming financial ecosystems by enabling controlled data sharing among multiple actors through application programming interfaces (APIs). While this transformation promises innovation and competition, it also introduces complex security challenges that extend beyond purely technical considerations. Despite growing attention in academic and professional domains, existing reviews provide limited integration of security concerns with global adoption patterns and cross regional variation. Methods: This systematic review analyses empirical and conceptual research on security in OB published between 1999 and 2025, capturing early digital banking studies that later informed the development of OB. The literature is structured into three distinct phases: foundational digital banking developments, regulatory formalisation of OB frameworks, and post-implementation expansion of OB ecosystems. A comprehensive search was conducted across major academic databases and scholarly portals, complemented by relevant regulatory and policy sources. Following duplicate removal, title and abstract screening, full-text eligibility assessment, and methodological quality appraisal, 117 studies were retained for qualitative synthesis. Results: The findings reveal recurring security challenges arising from the interaction between technological infrastructures, regulatory frameworks, and user behaviour within OB ecosystems. Technical safeguards such as APIs, strong customer authentication, and encryption are necessary but insufficient when they are misaligned with regulatory implementation and user behaviour. Behavioural factors, including trust, consent understanding, and security-related decision making, play a central role in shaping ecosystem resilience. Based on this synthesis, the study develops a tri-dimensional security framework integrating technological, regulatory, and behavioural dimensions. The bibliometric analysis of 117 studies reveals that technological security dominates the literature (58%), followed by regulatory governance (44%) and behavioural dimensions (42%). However, only 17.9% of studies integrate all three dimensions simultaneously. APIs and authentication mechanisms represent the most frequent technological terms, while PSD2 and GDPR dominate regulatory discourse. Trust and decision-making are the most recurrent behavioural constructs. The relatively low proportion of fully integrated studies confirms a structural fragmentation within OB security research, thereby empirically justifying the proposed tri-dimensional framework. Chronologically, early studies (1999–2015) predominantly focused on technical security mechanisms and regulatory compliance, whereas more recent research (2020–2025) increasingly highlights the interplay between regulatory frameworks and user behaviour, suggesting a shift towards a more holistic understanding of security within OB adoption. Conclusions: This systematic review concludes that integrating technological, regulatory, and behavioural perspectives advances a more comprehensive understanding of security in OB ecosystems. The proposed tri-dimensional security framework provides a structured foundation for future research and supports policy-relevant and practice-oriented security design.