Open banking regulation in North America: A guide

By allowing consumers to securely share their financial information with trusted third-party providers like personal finance apps, open banking unlocks the trifecta of positive customer experience: greater convenience, more financial insights, and hyper-personalized services that improve how consumers move, manage, and make money.

In the era of instant gratification, consumers expect better experiences everywhere, and financial services are no exception. Personalized, instant, and more secure experiences are at the core of consumer expectations for a financial services provider. Open data sharing is, quite simply, the future of financial services — a fact supported by accelerating regulatory standards across the globe. North America is no exception: the U.S. and Canada could finalize new regulations as early as this year.

Yet, some financial services providers have opted to lag behind, allowing fintech and neobanks to forge the bleeding edge of open banking—and soon, the open finance revolution. Financial service providers that neglect to incorporate open data sharing into their offerings risk obsoletion at a time when consumers have made clear their willingness to jump ship.

The time to embrace open banking is now — and Identity technology is ready to support widespread adoption.

Consumer demand for open banking is clear

For those asking, “What’s the rush?” here’s your answer: Open banking has already arrived. 

Whether they know it or not, most American consumers already use open banking as part of their daily lives. According to Visa, 87% of US consumers in 2023 reported having connected a bank account to a third party to access a financial service, and a growing number (34%) know what open banking is and how it can help streamline their financial lives (Visa, 2023)

In response, the banking industry has already begun transitioning to a distribution model built on open banking’s core API structure. Banks and other financial services providers are not in a position to “wait and see.” Acting on this new dimension of financial services within the next few years should be a core priority for any provider looking to build loyalty into the DNA of their customer relationships.

Regulators are stepping in, formalizing the shift

Open Banking standards vary from region to region. In Europe, for example, the Payment Services Directive 2 (PSD2) requires banks to develop APIs that facilitate the secure sharing of customer data while ensuring that customers have a high degree of control over what data they share with third parties (European Commission, 2023). In the United Kingdom, the UK Open Banking Standard accomplishes something similar by driving secure data sharing and consumer privacy through a clear regulatory framework (UK Competition and Markets Authority, 2020).

North America has taken a different approach, but that’s starting to change. Historically, the United States and Canada have relied on the Financial Data Exchange, an independent nonprofit organization, to lead a market-driven approach.

Without a formal regulatory push, most North American banks have yet to deliver truly secure open banking to their customers via secure financial APIs. Although it’s not widely known, many open banking services employ screen scraping, a risky technique vulnerable to breaches, to access financial data. 

Here’s how screen scraping works: The consumer provides their bank login credentials to the third party, who then uses bots to log in as them, effectively “scraping” their financial data. This process grants the third party full access to the consumer's account, raising serious privacy and security breach risk concerns.

In other words,  open banking has already arrived in North America, even if a standardized open banking security protocol hasn’t.  Without secure open APIs, third parties often attempt to meet market demand by engaging in risky, archaic methods that fail to meet modern security standards.

Regulators understand the risks inherent to this unregulated open banking landscape and are taking appropriate action to protect the privacy and security of consumer financial data. The United States and Canada are preparing to enforce stricter regulations for North American financial service providers who’ve been holding off on delivering secure financial APIs for financial data sharing.

Compliance or competitive edge? Why not both?

With its proposed rulemaking, the Consumer Financial Protection Bureau (CFPB) in the United States is poised to empower consumer access to modern open banking services while strengthening the safety of sensitive information. 
 

Regulators in the US and Canada are laying the groundwork for a regulatory-driven open banking market. This represents a stark shift from the predominantly market-driven North American approach to date, which has been marked by very real security vulnerabilities. Financial services companies who fail to prepare themselves for this change risk incurring serious regulatory (and reputational) damage.

Financial institutions that proactively integrate new practices will go beyond complying with the potential regulations. They’ll strategically position themselves as leaders in customer-centric services and data security. Here’s how.

1. Goodbye junk fees, hello free access to financial data 

The CFPB’s ruling will require depository and non-depository institutions to share consumer financial account and transaction data with consumers and trusted third parties free of charge, with requirements for how this data is shared with third parties in a “safe, secure, and reliable” way (CFPB, 2023).

2. Legal rights to share financial data

The ruling would also allow consumers to conveniently access third-party products and services, such as personal finance apps, debt management services, affordability checks, and buy now, pay later options — all in one place (CFPB, 2023).

3. Easy bank switching

If consumers want to move their finances from one provider to another for better pricing, products, and services, the CFPB’s ruling puts the choice more conveniently in consumers’ hands (CFPB, 2023).

4. Elevated protections for financial data sharing

Companies must abide by certain rules and conditions, including limiting their use of consumer data to provide only the individual's requested product or service and nothing more (CFPB, 2023).

5. The right to revoke access

Companies will have to immediately stop data access once the consumer requests it and, by default, delete the data. Additionally, consumers will need to reauthorize data access annually or it will be terminated (CFPB, 2023).

6. No more screen scraping

By moving the industry towards secure financial API data sharing, the ruling intends to reduce screen scraping and all its associated risks (CFPB, 2023). 

7. Security-backed innovation

Rather than prescribing technical requirements that slow innovation, the CFPB’s ruling will let banks and other covered entities implement industry standards developed by the private sector (CFPB, 2023).

Navigating open banking with Okta 

As financial service providers launch and manage their open banking initiatives, robust security measures beyond the login process are highly critical. Without it, you’re basically building a house without a foundation. That’s where Okta steps in. 

1. Grow your business

Okta supports the efficient, effective, and more secure delivery of the open banking services your customers are looking for, helping your business meet its growth targets and keep up with consumer demand.

2. Protection you can count on

Built on financial industry standards, our Highly Regulated Identity solution suite delivers robust authentication and authorization methods that safeguard data comprehensively. 

3. Get to market faster

Okta helps maximize your agility with our pro, low, and no-code solutions and API-first architecture. That means you can roll out new integrations and improve customer experiences quickly and at scale. 

4. Keep better  pace with compliance

Our certified FAPI 1 Advanced security profile implementation lays the groundwork for solutions that meet open banking requirements. This allows financial institutions like yours to navigate the ever-increasing complexity of regulatory compliance confidently.

5. Accelerate adoption 

Our unified Identity platform integrates with your risk engine,  streamlining the user experience so you can send enriched transaction approval requests only when necessary. This drives user adoption and keeps the process intuitive and efficient.

To learn more about Okta Highly Regulated Identity for open banking transactions and other sensitive scenarios, check out the datasheet. 

The future of banking is already here. Are you ready?

We’re not alarmists. We’re realists. The truth is open banking is already a key area of focus for consumers and regulators alike. The window of opportunity is closing, and financial service providers that continue putting off adopting open banking services do so at their own peril.

The choice is clear: Don’t wait and get outpaced by a crowded market. Don’t allow your institution to get boxed into costly, reactive changes that leave everyone dissatisfied. Set yourself apart with streamlined, Financial Grade Identity™ security and privacy controls that help you drive compliance and customer loyalty.

Looking for more information on making the open banking leap? Connect with our team to get started.

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials.  Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.