Open banking is coming to the U.S.: How secure will it be?

The open banking trend continues around the world, and most recently, the U.S. has taken another step towards adopting the policy. On July 31, the U.S. Department of Treasury published a detailed, titled A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation that will likely serve as the catalyst for open banking in the United States.   

The Department of Treasury places the U.S. on a growing list of nations that are modernizing their financial systems, including the UK, the European Union, South Korea, Singapore, Australia, Canada, and Japan. Traditional banks are modernizing through open banking and digital transformation to acquire and retain customers and remain competitive.

What is open banking? 

As defined in Wikipedia, open banking includes the use of an open application programming interface (API) that enables third parties to develop and build applications and services around a financial institution. Open banking also provides account owners with additional financial transparency options, including open data and private data using open source technology.

Open banking promises to unlock innovation that will profoundly improve the banking experience and introduce new financial services. For example, third-party fintechs can provide applications that enable consumers to consult multiple bank accounts from a single application, or apps that make it easier for businesses to share data with their accountants.

Open banking and the identity ecosystem

Just hours after the Treasury published the report, the Office of the Comptroller of the Currency (OCC) announced that technology firms can apply for special-purpose fintech charters. The new entrants to the national banking system will be required by the OCC to follow the same standards governing all national banks. 

Open banking is coming to the U.S. It’s just a matter of when. 

Open banking is certainly more convenient for consumers and financial services firms, but it must be implemented securely. Echoing the Obama-era National Strategy for Trusted Identities in Cyberspace (NSTIC), the Treasury encourages financial institutions to “work on digital identity by enhancing public-private partnerships that facilitate the adoption of trustworthy digital legal identity products and services, and supporting efforts to fully implement the U.S. government federated digital identity system.” 

The NSTIC vision was to create an identity ecosystem that could secure electronic commerce and combat online identity theft. The ecosystem was to be led by the private sector with support and guidance from the National Institute of Standards and Technology (NIST). NSTIC gave birth to the Identity Ecosystem Steering Group (IDESG) which developed a very detailed framework for trusted identities. The framework and all assets of IDESG were recently merged into the Kantara Initiative.  [For full disclosure, I am a Director of the IDESG, and I hope policy makers review the Framework as they shape open banking.]

Digital identity products in open banking

In their report, the Treasury adds:

“Digital identity products and services hold promise for improving the trustworthiness, security, privacy, and convenience of identifying individuals and entities, thereby strengthening the processes critical to the movement of funds, goods, and data as the global economy races deeper into the digital age. Digital identity systems also have the potential to generate cost savings and efficiencies for financial services firms. For instance, trustworthy digital identity systems could improve customer identification and verification for onboarding and authorizing account access, general risk management, and antifraud measures.” 

Digital onboarding is a foundational modernization component. The Treasury’s report and OCC’s announcement follow the passage of the Economic Growth, Regulatory Relief, and Consumer Protections Act(a.k.a. the Dodd Frank repeal). The lengthy law lightens regulations including a provision to permit the scan of a driver’s license or personal identification card to open an account with a financial institution or obtain a financial product or service from a financial institution. It also eliminates paper and permits a bank to store or retain such information in any electronic format.  [Disclosure: My employer, OneSpan, provides digital onboarding solutions.]

Following the OCC’s announcement, the American Bankers Association, the Independent Community Bankers of America, Credit Union National Association, and the National Association of Federal Credit Unions sent a letter to the U.S. House of Representatives Subcommittee on Digital Commerce and Consumer Protection. That letter included a statement that reads:

“Any legislation enacted into law must ensure that all entities that handle consumers’ sensitive financial data have in place a robust – yet flexible and scalable – process to protect data, which must be coupled with effective oversight and enforcement procedures to ensure accountability and compliance. This is an important step to limit the onslaught of breaches and reduce risks to consumers and the significant costs imposed on our members from breaches. This standard should apply to all entities that handle sensitive personal and financial data in order to provide meaningful and consistent protection for consumers nationwide.”

PSD2 and strong customer authentication

The EU’s revised Payment Services Directive (PSD2) includes Regulatory Technical Standards on strong customer authentication and secure communication. These are key to achieving PSD2’s objective of enhancing consumer protection, promoting innovation, and improving the security of payment services across the European Union. Fintechs, banks, and other financial services firms have spent considerable time, effort, and resources in preparing to comply with the strong customer authentication and secure communication requirements, which go into effect on September 14, 2019. 

These requirements, coupled with the modernization of the U.S. financial system through open banking, will enable fintechs, banks, and other financial services firms doing business in the U.S. to leverage some of the processes and technologies being deployed in Europe. This will expedite the Treasury’s vision. 

Echoing the aforementioned associations, it is imperative that consumers’ personally identifiable information, including financial data, be protected. Of course, saying it is one thing; implementing it is another.

The Treasury’s report notes that “trustworthy digital identity systems could improve customer identification and verification for onboarding and authorizing account access, general risk management, and antifraud measures.”  Like in the EU, open banking regulations in the U.S. must have teeth and enforcement. Personally, I would like to see the U.S. require all parties accessing this data undergo an identity verification process and have their identity bound to a unique and trusted digital authenticator. That most assuredly does not mean authentication by usernames and passwords, but via multi-factor authentication. Applications and communications between devices and servers must be through secure channels. Failure to do so should subject parties to severe penalties.

As a consumer, I am looking forward to secure, open banking. Given the constant wave of cyber-attacks and breaches, I do hope policymakers peek across the pond and require strong customer authentication along the lines detailed in PSD2.