• United States




Open banking is coming to the U.S.: How secure will it be?

Sep 21, 20186 mins
Data PrivacyIdentity Management SolutionsRegulation

To protect customer data, open banking regulations in the U.S. must have teeth and enforcement.

FinTech abstract / virtual world of dollars, pounds, euros, bitcoins, etc.
Credit: Metamorworks / Getty Images

The open banking trend continues around the world, and most recently, the U.S. has taken another step towards adopting the policy. On July 31, the U.S. Department of Treasury published a detailed, titled A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation that will likely serve as the catalyst for open banking in the United States.   

The Department of Treasury places the U.S. on a growing list of nations that are modernizing their financial systems, including the UK, the European Union, South Korea, Singapore, Australia, Canada, and Japan. Traditional banks are modernizing through open banking and digital transformation to acquire and retain customers and remain competitive.

What is open banking? 

As defined in Wikipedia, open banking includes the use of an open application programming interface (API) that enables third parties to develop and build applications and services around a financial institution. Open banking also provides account owners with additional financial transparency options, including open data and private data using open source technology.

Open banking promises to unlock innovation that will profoundly improve the banking experience and introduce new financial services. For example, third-party fintechs can provide applications that enable consumers to consult multiple bank accounts from a single application, or apps that make it easier for businesses to share data with their accountants.

Open banking and the identity ecosystem

Just hours after the Treasury published the report, the Office of the Comptroller of the Currency (OCC) announced that technology firms can apply for special-purpose fintech charters. The new entrants to the national banking system will be required by the OCC to follow the same standards governing all national banks. 

Open banking is coming to the U.S. It’s just a matter of when. 

Open banking is certainly more convenient for consumers and financial services firms, but it must be implemented securely. Echoing the Obama-era National Strategy for Trusted Identities in Cyberspace (NSTIC), the Treasury encourages financial institutions to “work on digital identity by enhancing public-private partnerships that facilitate the adoption of trustworthy digital legal identity products and services, and supporting efforts to fully implement the U.S. government federated digital identity system.” 

The NSTIC vision was to create an identity ecosystem that could secure electronic commerce and combat online identity theft. The ecosystem was to be led by the private sector with support and guidance from the National Institute of Standards and Technology (NIST). NSTIC gave birth to the Identity Ecosystem Steering Group (IDESG) which developed a very detailed framework for trusted identities. The framework and all assets of IDESG were recently merged into the Kantara Initiative.  [For full disclosure, I am a Director of the IDESG, and I hope policy makers review the Framework as they shape open banking.]

Digital identity products in open banking

In their report, the Treasury adds:

“Digital identity products and services hold promise for improving the trustworthiness, security, privacy, and convenience of identifying individuals and entities, thereby strengthening the processes critical to the movement of funds, goods, and data as the global economy races deeper into the digital age. Digital identity systems also have the potential to generate cost savings and efficiencies for financial services firms. For instance, trustworthy digital identity systems could improve customer identification and verification for onboarding and authorizing account access, general risk management, and antifraud measures.” 

Digital onboarding is a foundational modernization component. The Treasury’s report and OCC’s announcement follow the passage of the Economic Growth, Regulatory Relief, and Consumer Protections Act(a.k.a. the Dodd Frank repeal). The lengthy law lightens regulations including a provision to permit the scan of a driver’s license or personal identification card to open an account with a financial institution or obtain a financial product or service from a financial institution. It also eliminates paper and permits a bank to store or retain such information in any electronic format.  [Disclosure: My employer, OneSpan, provides digital onboarding solutions.]

Following the OCC’s announcement, the American Bankers Association, the Independent Community Bankers of America, Credit Union National Association, and the National Association of Federal Credit Unions sent a letter to the U.S. House of Representatives Subcommittee on Digital Commerce and Consumer Protection. That letter included a statement that reads:

“Any legislation enacted into law must ensure that all entities that handle consumers’ sensitive financial data have in place a robust – yet flexible and scalable – process to protect data, which must be coupled with effective oversight and enforcement procedures to ensure accountability and compliance. This is an important step to limit the onslaught of breaches and reduce risks to consumers and the significant costs imposed on our members from breaches. This standard should apply to all entities that handle sensitive personal and financial data in order to provide meaningful and consistent protection for consumers nationwide.”

PSD2 and strong customer authentication

The EU’s revised Payment Services Directive (PSD2) includes Regulatory Technical Standards on strong customer authentication and secure communication. These are key to achieving PSD2’s objective of enhancing consumer protection, promoting innovation, and improving the security of payment services across the European Union. Fintechs, banks, and other financial services firms have spent considerable time, effort, and resources in preparing to comply with the strong customer authentication and secure communication requirements, which go into effect on September 14, 2019. 

These requirements, coupled with the modernization of the U.S. financial system through open banking, will enable fintechs, banks, and other financial services firms doing business in the U.S. to leverage some of the processes and technologies being deployed in Europe. This will expedite the Treasury’s vision. 

Echoing the aforementioned associations, it is imperative that consumers’ personally identifiable information, including financial data, be protected. Of course, saying it is one thing; implementing it is another.

The Treasury’s report notes that “trustworthy digital identity systems could improve customer identification and verification for onboarding and authorizing account access, general risk management, and antifraud measures.”  Like in the EU, open banking regulations in the U.S. must have teeth and enforcement. Personally, I would like to see the U.S. require all parties accessing this data undergo an identity verification process and have their identity bound to a unique and trusted digital authenticator. That most assuredly does not mean authentication by usernames and passwords, but via multi-factor authentication. Applications and communications between devices and servers must be through secure channels. Failure to do so should subject parties to severe penalties.

As a consumer, I am looking forward to secure, open banking. Given the constant wave of cyber-attacks and breaches, I do hope policymakers peek across the pond and require strong customer authentication along the lines detailed in PSD2.


Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally.

He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA). He also served as a member of the Board of Directors for the Identity Ecosystem Steering Group’s (IDESG) and was Chair of the Health Information Management Systems Society (HIMSS) Identity Management Task Force.

Prior to OneSpan, he served as Director for Identity Solutions for DrFirst, a leading U.S. health IT solution provider, and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).

Before DrFirst, Mike lead Gemalto’s market and business development activities in the U.S. government and healthcare markets and was a contributing member of the Health Record Banking Alliance, WEDI, HIMSS, the Medical Identity Fraud Alliance and the Secure ID Coalition.

He served as Chairman of the Secure Technology Alliance’s (formerly the Smart Card Alliance) Health & Human Services Council from 2010-2014 where he led initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. He served as an advisor to the American Medical Association supporting a Center for Disease Control grant to develop and test the viability of a "Health Security Card" to identify and expeditiously treat victims in the event of a disaster.

Mike holds a Bachelor’s Degree in Psychology from the University of Massachusetts at Amherst. He is married with three children and resides in Northern Virginia.

More from this author